LOW 3.1

CVE-2026-11686: Chrome on macOS Cross-Origin Data Leak via Renderer Compromise

A flaw in Google Chrome's Dawn graphics library on macOS allows an attacker who has already compromised the browser's renderer process to trick the system into leaking data from other websites. The vulnerability requires the attacker to already have control over the renderer and the user to interact with a malicious webpage, making it a limited but real risk in scenarios where renderer escapes are already being exploited.

Source data · NVD / CISA · public domain

CVSS
3.1 · 3.1 LOW · CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N
Weaknesses (CWE)
CWE-20
Affected products
2 configuration(s)
Published / Modified
2026-06-09 / 2026-06-17

NVD description (verbatim)

Insufficient validation of untrusted input in Dawn in Google Chrome on macOS prior to 149.0.7827.103 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-11686 stems from insufficient validation of untrusted input within the Dawn graphics abstraction layer in Chrome on macOS versions before 149.0.7827.103. An attacker who controls the renderer process can craft HTML that bypasses cross-origin checks, permitting unauthorized data access across security boundaries. The issue is classified as CWE-20 (Improper Input Validation) and carries a CVSS v3.1 score of 3.1 (Low severity), reflecting the requirement for prior renderer compromise and user interaction.

Business impact

This vulnerability primarily affects organizations where employees browse untrusted content on macOS systems. While the attacker must already control the renderer process—a significant precondition—successful exploitation could enable data exfiltration from open sessions, potentially compromising authentication tokens, session IDs, or sensitive page content. The practical risk is moderate: it lowers the barrier for a second-stage attack after initial renderer compromise, but does not constitute a standalone remote code execution vector.

Affected systems

Google Chrome on macOS prior to version 149.0.7827.103 is vulnerable. The issue is specific to macOS and does not affect Chrome on Windows or Linux. Users running Chrome 149.0.7827.103 or later are protected. Apple macOS itself is listed as an affected platform in vendor metadata, though the vulnerability is in Chrome; no native macOS patches are required.

Exploitability

Exploitation is not straightforward and requires two concurrent conditions: (1) an attacker must already have compromised the Chrome renderer process, and (2) the user must visit a page controlled by the attacker. This layered requirement means the vulnerability is unlikely to be exploited in isolated attacks but becomes relevant in targeted campaigns where renderer exploits are chained with this flaw to amplify data theft. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities catalog, and no public exploit code has been disclosed.

Remediation

Users must upgrade Google Chrome on macOS to version 149.0.7827.103 or later. No workarounds are available. Organizations should enforce automatic Chrome updates or use managed deployment policies to roll out the patch within 48–72 hours of release. The vulnerability was published on 2026-06-09 and patched in the indicated version; verify your current Chrome version against the vendor release notes to confirm patch application.

Patch guidance

Update Chrome via Settings > About Google Chrome on macOS, or configure automatic updates if not already enabled. For enterprise deployments, use Google Chrome for Business or similar managed rollout tools to deploy version 149.0.7827.103 or later. Verify the patch installation by navigating to chrome://version and confirming the version number. No configuration changes are required post-patch; the fix is automatic upon upgrade.

Detection guidance

Monitor Chrome version numbers in your environment using mobile device management (MDM) or endpoint detection tools. Flag any macOS systems running Chrome versions below 149.0.7827.103. Behavioral detection is challenging because the attack requires renderer control; focus detection efforts upstream on other potential renderer exploits (memory corruption, logic bugs in V8 or Blink). Network monitoring for exfiltration of cross-origin data is unlikely to yield signals, since the data is accessed in-process.

Why prioritize this

While the CVSS score is Low (3.1), this vulnerability warrants medium priority in most organizations because it is a secondary exploit useful in advanced targeted campaigns. Organizations with strict browser security controls and limited exposure to untrusted content may deprioritize; those in high-risk sectors (finance, government, healthcare) or with employees regularly browsing adversary-controlled or user-generated content should patch within 2–4 weeks. It is not urgent compared to unauthenticated remote code execution flaws, but it should not be indefinitely deferred.

Risk score, explained

The CVSS v3.1 Low score (3.1) reflects the requirement for prior renderer compromise (increasing Attack Complexity), lack of integrity or availability impact (only confidentiality), and the need for user interaction. The score correctly characterizes the vulnerability as lower-risk than unauthenticated network attacks, but does not fully capture its value in chained exploit scenarios. Security teams should weight organizational risk context (employee browsing habits, exposure to malicious content) alongside the base score when setting patching timelines.

Frequently asked questions

Do I need to patch this if I'm on Windows or Linux Chrome?

No. CVE-2026-11686 is specific to macOS and does not affect Chrome on Windows or Linux. Users on those platforms are not vulnerable, though staying current with Chrome updates is a general best practice.

What does 'renderer process compromise' mean, and how likely is that?

The renderer process is the sandboxed component of Chrome that interprets web pages. Compromising it typically requires exploiting a separate memory safety or logic vulnerability in the browser. While not trivial, renderer exploits are discovered regularly and are common targets in targeted attacks. This vulnerability is dangerous in campaigns where the attacker already has a renderer exploit and wants to amplify damage.

Is there a workaround if I can't update immediately?

There is no effective workaround. You can reduce risk by limiting browsing to trusted sites only and disabling JavaScript in high-risk browsing contexts, but these are incomplete mitigations. Patching is the only reliable fix.

Will my data be stolen if I just visit an untrusted website?

No. Simply visiting a website cannot trigger this vulnerability. The attacker must control both the renderer process (via a separate exploit) and the webpage. If your Chrome is unpatched and you encounter a website that attempts exploitation, you would already need to be running an outdated, vulnerable build and the attacker would need multiple exploits in hand.

This analysis is based on official CVE records and vendor advisories current as of 2026-06-17. CVSS scores reflect base environmental assumptions and may not align with your organizational risk tolerance. Verify all patch versions and compatibility against the official Google Chrome release notes and your internal systems before deployment. SEC.co does not warrant the accuracy of third-party vendor data; contact Google directly for authoritative guidance on Chrome security updates. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).