CVE-2026-11685: Chrome MediaCapture Cross-Origin Data Leak on macOS
Google Chrome on macOS contains a flaw in how it handles media capture permissions that could allow an attacker to trick you into revealing data meant to be private to a specific website. By crafting a malicious webpage, an attacker can bypass Chrome's protections and leak information across website boundaries—essentially stealing data that should stay isolated to one origin. The vulnerability requires user interaction, such as visiting a malicious page, but does not require special privileges or system-level access.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 4.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
- Weaknesses (CWE)
- CWE-20
- Affected products
- 2 configuration(s)
- Published / Modified
- 2026-06-09 / 2026-06-17
NVD description (verbatim)
Inappropriate implementation in MediaCapture in Google Chrome on Mac prior to 149.0.7827.103 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-11685 is an inappropriate implementation flaw in Chrome's MediaCapture module affecting macOS systems prior to version 149.0.7827.103. The root cause is improper input validation (CWE-20) in how the browser enforces same-origin policy boundaries during media capture operations. A remote attacker can craft a HTML page that, when visited, triggers a cross-origin data leak by circumventing the security checks that normally isolate sensitive data between different website origins. The vulnerability is classified as High severity by Chromium's security team, though the CVSS 3.1 base score reflects the user interaction requirement and limited scope of the breach.
Business impact
For organizations, this vulnerability primarily affects users who rely on Chrome on macOS systems. The risk is confidentiality-focused: sensitive data (such as authentication tokens, personal information, or session data) could be exfiltrated from legitimate web applications when users visit compromised or attacker-controlled pages. This is particularly concerning for companies with high-value users or regulated data handling requirements. The requirement for user interaction—visiting a malicious page—means the threat is real but not automatic across your user base. However, given the proliferation of social engineering and link-sharing, the practical attack surface remains meaningful.
Affected systems
The vulnerability is specific to Google Chrome running on Apple macOS systems (all versions prior to 149.0.7827.103). Windows, Linux, and Android Chrome versions are not affected based on the CVE description. Users on the latest version of Chrome for Mac (149.0.7827.103 and later) are not at risk. This is a platform-specific flaw, not a universal Chrome issue.
Exploitability
Exploitability is moderate. The attack is practical and requires only a remote attacker capable of serving malicious HTML—no zero-day tools, complex heap spray techniques, or kernel exploits are needed. The significant barrier is user interaction: the victim must actively visit or be socially engineered into visiting a crafted page. Once there, the exploit is likely reliable and does not require additional user actions (like granting special permissions). The vulnerability is not currently listed in the Known Exploited Vulnerabilities (KEV) catalog, indicating no evidence of active, widespread in-the-wild exploitation at the time of disclosure, though this does not rule out future weaponization.
Remediation
The definitive remediation is to update Google Chrome on macOS to version 149.0.7827.103 or later. This patch is the result of Chromium's fix to the MediaCapture implementation, re-establishing proper same-origin policy enforcement. Users should enable automatic Chrome updates if not already configured. Organizations managing Chrome deployments should verify and deploy the patched version through their update channels.
Patch guidance
Confirm that Google Chrome on macOS is running version 149.0.7827.103 or later. Check this by opening Chrome, clicking the three-dot menu, navigating to 'About Google Chrome,' and verifying the version number. Chrome will automatically check for and install updates, but you can force an immediate check from the About menu. For centrally managed environments, use your mobile device management (MDM) or Chrome management tools to deploy the patched version. Verify patch application by spot-checking a sample of managed systems. There are no known compatibility issues with the patch.
Detection guidance
Look for suspicious network activity from Chrome processes on macOS systems that might indicate data exfiltration to unexpected domains. Monitor for signs of social engineering campaigns that may be driving users to malicious pages (anomalous link-sharing, phishing emails, etc.). If you maintain audit logs, search for Chrome crash or security-related logs from systems running vulnerable versions. Endpoint detection and response (EDR) tools may flag unexpected inter-process communication or unusual Chrome subprocess activity. The most practical approach is asset inventory: ensure you have visibility into Chrome versions across macOS systems and flag any instances below 149.0.7827.103.
Why prioritize this
This vulnerability merits timely but not emergency remediation. The CVSS 3.1 score of 4.3 (Medium) reflects that exploitation requires user interaction and only impacts confidentiality. However, the High severity rating from Chromium engineers signals that the underlying flaw is serious. Prioritization should consider your user base's macOS Chrome usage, exposure to social engineering risk, and the sensitivity of data accessible through web applications. If you have regulatory obligations (HIPAA, PCI-DSS, etc.), the data leakage risk elevates importance. Deploy within 30 days for general IT infrastructure; consider faster deployment for high-risk user groups.
Risk score, explained
The CVSS 3.1 base score of 4.3 results from the following factors: Network attack vector (AV:N) increases base severity; low attack complexity (AC:L) means minimal skill is needed; no privileges required (PR:N); but critically, user interaction (UI:R) is mandatory—the victim must visit the malicious page. The scope is unchanged (S:U), meaning data is leaked only within the Chrome process/context, not affecting other systems. Confidentiality is low (C:L) in the base score calculation, likely reflecting that not all data is at risk—only cross-origin data accessible during the media capture operation. Integrity and availability are unaffected (I:N, A:N). The High severity classification from Chromium reflects their assessment of real-world impact and the seriousness of the underlying flaw, which may differ from the numerical CVSS score.
Frequently asked questions
Do I need to grant Chrome special permissions for this exploit to work?
No. The vulnerability exists in Chrome's core media capture implementation and does not require the user to grant the attacker any additional permissions. The flaw is triggered simply by visiting a malicious webpage. However, if a website has already been granted microphone or camera access, the risk of data leakage may be amplified.
Is this vulnerability being actively exploited in the wild?
There is no evidence of active, widespread exploitation at the time of disclosure. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog. However, the practical nature of the exploit (remote, low complexity) means it could be weaponized quickly if disclosure details become widely known.
Does this affect Chrome on Windows or Linux?
No. The vulnerability is specific to Chrome on macOS due to how the MediaCapture module is implemented on that platform. Users of Chrome on Windows, Linux, or Android are not affected by this flaw.
What kind of data can be leaked?
The vulnerability allows leakage of cross-origin data, meaning information that should be isolated between different websites. Depending on what the victim has authenticated to or accessed, this could include session tokens, personal information, form data, or other sensitive content. The exact scope depends on the victim's browsing session and what an attacker can craft the page to access.
This analysis is based on the CVE record and publicly available information as of the publication and modification dates listed. Security landscapes evolve; verify all patch versions, affected product lists, and remediation guidance against official vendor advisories from Google and Apple before deploying in production. This document does not constitute legal, compliance, or professional security advice. Organizations should conduct their own risk assessment and testing in non-production environments prior to applying patches. The absence of a vulnerability from the KEV catalog does not guarantee lack of exploitation; monitor threat intelligence feeds for emerging reports. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10004MEDIUMChrome UI Spoofing Vulnerability – Password Dialog Hijacking
- CVE-2026-10912MEDIUMChrome Extension Same-Origin Policy Bypass (CVSS 6.5)
- CVE-2026-10916MEDIUMChrome DevTools UXSS Vulnerability
- CVE-2026-11008MEDIUMChrome WebAppInstalls Cross-Origin Data Leak (CVSS 6.5)
- CVE-2026-11013MEDIUMChrome Network Input Validation Flaw Enables Memory Data Theft
- CVE-2026-11016MEDIUMChrome Same-Origin Policy Bypass (Medium Severity)
- CVE-2026-11022MEDIUMChrome DevTools Same-Origin Policy Bypass (Medium)
- CVE-2026-11023MEDIUMChrome Same-Origin Policy Bypass in WebAppInstalls