LOW 3.1

CVE-2026-11675: Chrome Skia Out-of-Bounds Read Leading to Cross-Origin Data Leak

Google Chrome contained a memory reading vulnerability in its Skia graphics library that could allow an attacker to steal sensitive data from other websites. The attacker would first need to compromise Chrome's renderer process—the sandboxed component that handles web page rendering—and then trick a user into visiting a specially crafted webpage. If successful, the flaw could leak cross-origin data, meaning information from a different website than the one the user thought they were visiting. This vulnerability affects Chrome versions prior to 149.0.7827.103 across Windows, macOS, and Linux systems.

Source data · NVD / CISA · public domain

CVSS
3.1 · 3.1 LOW · CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N
Weaknesses (CWE)
CWE-20
Affected products
4 configuration(s)
Published / Modified
2026-06-09 / 2026-06-17

NVD description (verbatim)

Out of bounds read in Skia in Google Chrome prior to 149.0.7827.103 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-11675 is an out-of-bounds read vulnerability in the Skia graphics engine used by Google Chrome. The flaw allows a remote attacker who has already achieved code execution in the renderer process to read memory beyond intended boundaries through a malicious HTML page, potentially exposing data from other origins. Skia's memory safety controls failed to properly validate bounds on a read operation, creating a window for cross-origin data disclosure. The vulnerability is classified as CWE-20 (Improper Input Validation), reflecting inadequate sanitization of graphics-related inputs or operations that could lead to out-of-bounds access.

Business impact

While the CVSS score is low, the business impact hinges on the renderer compromise prerequisite. Organizations relying on Chrome for accessing sensitive web applications—particularly those handling financial, healthcare, or proprietary data—face a secondary risk: if an attacker first compromises the renderer process through another vulnerability or social engineering, this flaw becomes a stepping stone to exfiltrate confidential information across site boundaries. For enterprises with strict data isolation policies, any cross-origin leak is a compliance concern. The impact is limited to confidentiality; integrity and availability are unaffected.

Affected systems

Google Chrome versions before 149.0.7827.103 running on Windows, macOS, and Linux are vulnerable. Because Chromium-based browsers (Edge, Brave, Opera, etc.) may incorporate the same Skia library, administrators should verify their specific browser versions and vendors. The vulnerability does not appear in the official advisory data as affecting browsers other than Chrome directly, so vendors of alternative browsers should be consulted for their patching status.

Exploitability

Exploitation requires a two-stage attack: the attacker must first compromise the renderer process through a separate vulnerability or social engineering tactic, then deliver a malicious HTML page to the victim. The CVSS vector reflects this complexity—the Attack Complexity is High, and User Interaction is Required. While the barrier to entry is elevated, the rendering process compromise is often achievable through XSS, watering-hole attacks, or supply-chain compromises. Once the renderer is compromised, the second stage is likely straightforward. This vulnerability was not added to CISA's Known Exploited Vulnerabilities (KEV) catalog, suggesting no widespread exploitation in the wild at time of publication.

Remediation

Update Google Chrome to version 149.0.7827.103 or later immediately. Users can verify their current version by navigating to chrome://settings/help, which will automatically check for and apply the latest release. Organizations managing Chrome fleet-wide should use Group Policy (Windows), configuration profiles (macOS), or enterprise deployment tools to enforce the update. Because the vulnerability requires prior renderer compromise, defense-in-depth strategies—such as disabling JavaScript where not needed, using security policies to restrict script execution, and maintaining robust endpoint detection—remain important even after patching.

Patch guidance

Google released patch 149.0.7827.103 to address this vulnerability. Deploy via Chrome's automatic update mechanism, or manually verify versions in enterprise environments using chrome://version. For large deployments, test the patch in a staging environment before rolling out broadly. Since exploitation requires a pre-existing renderer compromise, patching should be treated as urgent but not emergency-level if other mitigations (XSS defenses, process isolation) are already in place. Verify that your organization's Chrome deployment matches or exceeds the patched version number.

Detection guidance

Monitor for suspicious memory access patterns or crashes in Chrome's renderer process logs. Behavioral analytics should flag unusual cross-origin data reads or unusual memory access sequences. Web application firewalls and content security policies can help prevent malicious HTML delivery. Detection is challenging without deep process-level telemetry; consider deploying endpoint detection and response (EDR) tools that can track renderer process behavior and memory access anomalies. Log any crashes or renderer restarts, as exploitation attempts may leave traces. Monitor for unusual data exfiltration patterns post-rendering.

Why prioritize this

Although the CVSS score is low, the severity should be contextualized: the underlying Chromium engineering team marked this as High severity, reflecting the seriousness of cross-origin data leakage even within a sandboxed process. The two-stage attack requirement (prior renderer compromise) lowers urgency relative to direct remote code execution flaws, but organizations should prioritize this within 30 days. Any environment where users browse untrusted content or where renderer compromise vectors are plausible should patch sooner. The lack of KEV status indicates no active weaponized exploit, providing a window for orderly patching.

Risk score, explained

The CVSS 3.1 score of 3.1 (Low) reflects the attack complexity and prerequisites: an attacker needs network access, high attack complexity, user interaction, and prior control of the renderer process. Confidentiality impact is low because the leaked data is limited to cross-origin information accessible within the renderer's memory, not the entire system. However, the Chromium team's High severity rating indicates that in real-world scenarios—particularly if chained with other vulnerabilities—the practical risk is higher than the raw score suggests. Organizations should weight Chromium's assessment alongside CVSS when prioritizing.

Frequently asked questions

Do I need to update if I don't browse untrusted websites?

Yes. While the attack requires a malicious HTML page, users cannot always predict whether a website has been compromised or is hosting malicious ads. Additionally, renderer compromise can occur through other vectors like vulnerable browser extensions or updates to legitimate sites. Patching eliminates this vulnerability as a potential stepping stone for attackers.

What data could be leaked by this vulnerability?

The flaw allows reading memory from other origins (websites) within the same renderer process. This could include session tokens, cookies, form data, or other sensitive information from other tabs or windows the user has open. It does not grant access to the file system or other processes outside the browser.

Does this affect Chromium-based browsers like Edge or Brave?

Possibly, if those browsers vendors incorporate the vulnerable Skia version. You should check your browser vendor's security advisory for their specific patch status. Google's patch is for Chrome; other vendors must release their own updates based on the underlying Chromium code.

How is this different from a typical XSS vulnerability?

XSS allows script injection within a single origin. This vulnerability allows an attacker already inside the renderer process to read memory from other origins, bypassing the browser's same-origin policy for memory access. It is a more severe violation of the sandbox boundary.

This analysis is based on publicly available vulnerability data current as of June 2026. CVSS scores and severity ratings are provided by NVD and the Chromium project; organizations should apply their own risk assessment based on their environment. Patch version numbers and affected product lists are sourced from official vendor advisories; always verify against vendor documentation before deploying patches. This page does not constitute legal or compliance advice. No exploit code or weaponization details are included. This vulnerability requires a pre-existing renderer process compromise; organizations should implement defense-in-depth strategies beyond patching alone. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).