MEDIUM 4.3

CVE-2026-11665: Chrome Out-of-Bounds Read Vulnerability (Windows) – Cross-Origin Data Leak

A flaw in Google Chrome's graphics rendering engine (Dawn) on Windows could allow an attacker to trick a user into visiting a malicious webpage that leaks sensitive data from other websites the user is logged into. The vulnerability requires user interaction—the user must visit the crafted page—but does not require any special permissions or complex attack setup. The leaked data is limited in scope and does not include the ability to modify or destroy information.

Source data · NVD / CISA · public domain

CVSS
3.1 · 4.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
Weaknesses (CWE)
CWE-125
Affected products
2 configuration(s)
Published / Modified
2026-06-09 / 2026-06-17

NVD description (verbatim)

Out of bounds read in Dawn in Google Chrome on Windows prior to 149.0.7827.103 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-11665 is an out-of-bounds read vulnerability in Dawn, Chrome's WebGPU graphics abstraction layer, affecting Windows builds prior to version 149.0.7827.103. The flaw permits an unauthenticated remote attacker to bypass same-origin policy protections and exfiltrate cross-origin data through a specially crafted HTML page. The vulnerability stems from improper bounds checking in memory access operations within the graphics pipeline. While the Chromium project assigned a High security severity rating, the CVSS v3.1 score reflects the requirement for user interaction and the confidentiality-only impact (no integrity or availability compromise). The attack surface is the web browsing context, and successful exploitation leaves no persistent footprint on the victim's system.

Business impact

For organizations where employees browse the web on Windows systems running Chrome, this vulnerability creates a focused data leakage risk. Attackers could craft pages that passively harvest authentication tokens, session cookies, or sensitive page content from cross-origin services—particularly SaaS platforms, corporate web apps, or cloud services where users are simultaneously logged in. The requirement for user click-through reduces the statistical likelihood of mass exploitation, but targeted campaigns against high-value users or employees at specific organizations remain practical. Business continuity is not threatened, but confidentiality of user sessions and data is at direct risk.

Affected systems

Google Chrome on Windows is the only affected platform. Desktop and laptop Windows systems running Chrome versions earlier than 149.0.7827.103 are in scope. Chrome on macOS, Linux, iOS, and Android are not affected by this specific flaw. Users running Chrome version 149.0.7827.103 or later are not vulnerable. The vulnerability does not affect other Chromium-based browsers (such as Edge or Brave) unless they independently bundle the vulnerable Dawn version—verify compatibility against individual vendor advisories.

Exploitability

Exploitation requires moderate attacker effort: crafting a malicious HTML page is straightforward, but the attacker must also convince or trick a user into visiting it. No authentication or special system privileges are required on the attacker side. The attack does not trigger obvious browser warnings or security indicators, making it suitable for social engineering or redirect-based delivery. However, the vulnerability does not lend itself to wormable propagation or zero-click infection, and modern browsers' sandboxing and same-origin policy framework substantially limit the scope of leakable data. The practical impact is therefore constrained to actively targeted campaigns rather than opportunistic mass exploitation.

Remediation

Update Google Chrome to version 149.0.7827.103 or later on all Windows systems. Chrome's auto-update mechanism should deliver this patch automatically within days of release; however, users with auto-update disabled or running managed enterprise deployments must initiate manual updates. For IT teams deploying Chrome through Windows Group Policy or mobile device management, configuration should be verified to enforce the minimum patched version. No workarounds—such as disabling WebGPU or graphics acceleration—are required or recommended; patching is the only mitigation.

Patch guidance

Verify that all Windows systems in your environment have updated Chrome to 149.0.7827.103 or later by checking Help > About Google Chrome, which will display the current version and auto-update status. For enterprise deployments, use Chrome's reporting and compliance tools (or third-party MDM solutions) to confirm patch coverage. Test the update in a staging environment if your organization uses Chrome extensions or bespoke web applications that depend on specific graphics APIs. Monitor Chrome's official release notes and security updates page for any subsequent patches to this line, as additional graphics-related vulnerabilities are periodically disclosed.

Detection guidance

Detection of exploitation is challenging because the attack is entirely client-side and asynchronous. Monitor for unusual outbound HTTPS connections from Chrome processes, particularly to domains not previously visited by the user, especially if the user's browser history shows recent visits to untrusted or phishing-like sites. Examine web server logs for anomalous cross-origin requests or unusual User-Agent patterns. Network detection is most effective when combined with endpoint telemetry (e.g., process execution, file I/O, registry changes) that correlates suspicious browser behavior with data exfiltration. Behavioral baselines for trusted web applications help identify deviations. No specific IDS/IPS signatures are available, as the malicious payload is rendered HTML; focus on user behavior analytics and session anomaly detection.

Why prioritize this

Although the CVSS score is 4.3 (MEDIUM), the vulnerability merits prompt attention because it directly enables session hijacking and cross-origin data theft—two of the most damaging outcomes for web-reliant organizations. The attack surface is universal (any website visit), user interaction is required but routine, and the patch is simple to deploy. Delayed patching leaves all Chrome users on Windows exposed to targeted attacks, especially those working with sensitive SaaS or internal web applications. The vulnerability is not yet in active public exploitation (not in the KEV catalog), but disclosure is public and proof-of-concept development is likely. A 2–4 week patching window is reasonable for most organizations; critical teams handling highly sensitive data should prioritize faster rollout.

Risk score, explained

The CVSS v3.1 score of 4.3 reflects the network attack vector (AV:N), low attack complexity (AC:L), no privilege requirement (PR:N), and required user interaction (UI:R). The impact is limited to confidentiality (C:L), with no integrity or availability impact. While Chromium's internal severity is High, CVSS penalizes the user-interaction requirement and the scope limitation (unchanged origin), resulting in a MEDIUM overall score. This score appropriately captures that the vulnerability is serious enough to warrant immediate patching but does not pose systemic risk to infrastructure or render systems unstoppable—the damage is measurable but bounded.

Frequently asked questions

If I'm running Chrome on macOS or Linux, am I affected?

No. This vulnerability is specific to Windows. Chrome on macOS, Linux, iOS, and Android does not contain this flaw. However, if you manage a mixed-platform environment, ensure that all Windows users are on 149.0.7827.103 or later.

Does this vulnerability allow an attacker to steal my password or infect my computer?

No. This flaw enables theft of session tokens and data already loaded in your browser from other websites. It does not allow password exfiltration directly, malware installation, or file system compromise. However, stolen session tokens can grant unauthorized access to your accounts. Changing passwords and reviewing account activity after a suspected attack is prudent.

Can I disable WebGPU or graphics acceleration to stay safe while waiting to patch?

Disabling graphics acceleration is not necessary and is not recommended. The patch is the only reliable mitigation. Disabling features may degrade browser performance and is likely to be reversed by auto-updates anyway. Update as soon as possible instead.

How do I verify that my Chrome update was successful?

Open Chrome and navigate to Help > About Google Chrome (or chrome://settings/help). The browser will automatically check for updates and display your current version. You should see version 149.0.7827.103 or higher. If an update is pending, the page will prompt you to relaunch the browser to apply it.

This analysis is provided for informational and educational purposes and does not constitute legal, compliance, or professional security advice. Organizations must independently verify all technical details, patch versions, and affected product lists against vendor advisories and conduct their own risk assessments. SEC.co does not guarantee the accuracy, completeness, or timeliness of this content. Patching decisions should align with your organization's change management and risk governance processes. No liability is assumed for actions taken or omitted based on this information. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).