LOW 3.1

CVE-2026-11684: Chrome Network Policy Enforcement Vulnerability – Cross-Origin Data Leak Risk

A policy enforcement gap in Google Chrome's Network component allowed attackers who had already compromised Chrome's utility process to steal cross-origin data by serving a specially crafted HTML page. This is a post-compromise attack where the attacker has already gained some level of access to the browser process itself, then exploits this weakness to read data that should be isolated between different websites.

Source data · NVD / CISA · public domain

CVSS
3.1 · 3.1 LOW · CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N
Weaknesses (CWE)
CWE-693
Affected products
4 configuration(s)
Published / Modified
2026-06-09 / 2026-06-17

NVD description (verbatim)

Insufficient policy enforcement in Network in Google Chrome prior to 149.0.7827.103 allowed a remote attacker who had compromised the utility process to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-11684 stems from insufficient policy enforcement in the Network component of Google Chrome versions prior to 149.0.7827.103. The vulnerability relates to CWE-693 (Protection Mechanism Failure), allowing a remote attacker with a compromised utility process to leak cross-origin data through a malicious HTML page. The Chromium security team rated this as High severity from a browser architecture perspective, though the CVSS 3.1 score reflects the requirement for an already-compromised utility process (AC:H, PR:N). The attack vector is network-based and requires user interaction (UI:R), but the net impact is confidentiality loss limited to the compromised user's session (S:U, C:L).

Business impact

While the CVSS score is low, this vulnerability carries operational significance for organizations managing Chrome deployments. The risk is primarily to users of affected Chrome installations rather than direct infrastructure impact. Organizations should weigh: (1) prevalence of Chrome in their environment, (2) likelihood of targeted compromise of the utility process in their threat model, and (3) sensitivity of cross-origin data their users access. For most organizations, this is a moderate-priority patch; for those handling highly sensitive browser-based applications or with strict data segregation requirements, it warrants faster action.

Affected systems

Google Chrome versions prior to 149.0.7827.103 are affected. The vulnerability applies across multiple operating systems: macOS (Apple), Linux (Linux kernel), and Windows (Microsoft). Organizations should verify their current Chrome version against the fix version 149.0.7827.103 and ensure deployment coverage across all supported platforms in use.

Exploitability

Exploitation requires an attacker to have already compromised the Chrome utility process, which is a significant barrier. This is not a zero-click or drive-by compromise vector. An attacker must first establish access to the utility process, then craft and serve malicious HTML to the user. The requirement for user interaction (clicking, navigation) adds another layer of friction. In practice, this vulnerability is most relevant in targeted campaigns where an attacker has partial Chrome sandbox compromise and seeks to escalate data exfiltration; it is not expected to be a primary attack vector in mass exploitation scenarios.

Remediation

Organizations should deploy Chrome version 149.0.7827.103 or later across all affected systems. Verify the patch version against Google's official Chrome release notes. For macOS systems, ensure Chrome auto-update is enabled or manually update through System Preferences > Chrome > About Google Chrome. On Windows and Linux, Chrome typically auto-updates, but administrators should verify rollout in managed environments. Test the patch in a controlled environment before organization-wide deployment to ensure compatibility with critical web applications.

Patch guidance

Apply Chrome version 149.0.7827.103 or any subsequent stable release. For enterprises with managed Chrome deployments: (1) verify your current version via chrome://version/, (2) check Google's official advisory for any phased rollout details, (3) test web application compatibility in a pre-production environment, (4) use Group Policy (Windows) or managed preferences (macOS/Linux) to control update timing if needed, (5) confirm rollout completion with telemetry or inventory tools. No rollback is expected to be necessary; this patch does not introduce breaking changes to documented APIs.

Detection guidance

Detection of active exploitation is challenging without network-level inspection or endpoint logs indicating utility process compromise. Organizations can: (1) monitor Chrome process behavior via EDR tools for unusual utility process spawning or inter-process communication, (2) log and alert on any incidents where a utility process attempts network access, (3) track browser version deployment to identify lagging systems, (4) use browser telemetry (if enabled) to monitor sandbox violations or policy breaches. Once patched, the policy enforcement is restored and the attack surface is eliminated.

Why prioritize this

Although the CVSS score is low (3.1), this should not delay patching because: (1) Chrome patches are frequently low-effort deployments with auto-update mechanisms already in place, (2) the vulnerability requires prior compromise, making it a secondary risk in an attacker's chain, (3) the fix is already available and stable, and (4) browser vendors typically recommend rapid adoption of network/sandbox security fixes to close exploitation chains. Prioritize this alongside routine Chrome patching cycles rather than as an emergency, but do not deprioritize it due to the low CVSS score alone.

Risk score, explained

The CVSS 3.1 score of 3.1 (LOW) reflects: Network attack vector (AV:N), High Attack Complexity due to the need for prior utility process compromise (AC:H), no privileges required (PR:N), user interaction required (UI:R), unchanged scope (S:U), and Low confidentiality impact confined to the compromised user's data (C:L). The score appropriately captures the need for a pre-existing compromise condition. However, Chromium's High severity rating reflects the browser's internal risk assessment regarding sandbox integrity and cross-origin policy enforcement, which are foundational to browser security architecture.

Frequently asked questions

Does this vulnerability allow code execution or is it just data leakage?

This vulnerability is limited to confidentiality impact—an attacker can leak cross-origin data that should be isolated between websites. There is no indication of code execution capability or privilege escalation beyond what the compromised utility process already permits. The impact is data exfiltration within the context of a single user's browser session.

My organization uses Chrome in a restricted network environment. Is this still relevant?

Yes. The vulnerability requires network-based interaction (malicious HTML page served to the user), which assumes internet connectivity or at minimum access to a web server the user can reach. If your Chrome users are completely air-gapped, the practical risk is lower, but patching remains prudent for defense-in-depth. If users access any web content—internal applications, cloud services, or the public internet—assume this patch is relevant.

Does this affect Chrome extensions or only the browser core?

The vulnerability is in Chrome's Network component and policy enforcement for cross-origin isolation, which are core browser functions. Extensions do not directly trigger this vulnerability, though a compromised extension or malicious webpage could work in tandem with a compromised utility process to exploit it. Patching the browser core mitigates the underlying weakness.

How does this relate to Chrome's sandbox security model?

This is a sandbox policy enforcement gap, not a sandbox escape. An attacker must first compromise the utility process (already inside the sandbox), then exploits insufficient policy enforcement to leak data that should be protected by sandboxing rules. The patch restores the intended policy enforcement, strengthening the sandbox's isolation guarantees.

This analysis is based on vendor disclosures and publicly available information as of the publication date. Security ratings and CVSS scores are provided as context but should not be used as the sole basis for patching decisions. Organizations are responsible for assessing the vulnerability's applicability to their specific environment and threat model. Always verify patch version numbers and compatibility against official vendor advisories before deployment. This information is provided for informational purposes and does not constitute legal or professional security advice. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).