CVE-2026-11691: Chrome New Tab Page Cross-Origin Data Leak – Patch Now
Google Chrome contained a flaw in its New Tab Page that could allow attackers who had already compromised Chrome's renderer process to steal data from websites across different origins. The vulnerability required an attacker to have already broken into the renderer—the sandboxed component that runs web content—and then trick a user into visiting a malicious HTML page. While the Chromium security team rated this High severity internally, the calculated CVSS score is Low (3.1) because the attack requires both prior renderer compromise and user interaction.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 3.1 LOW · CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N
- Weaknesses (CWE)
- CWE-20
- Affected products
- 4 configuration(s)
- Published / Modified
- 2026-06-09 / 2026-06-17
NVD description (verbatim)
Insufficient validation of untrusted input in New Tab Page in Google Chrome prior to 149.0.7827.103 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-11691 is an input validation deficiency (CWE-20) in Chrome's New Tab Page component that failed to properly validate untrusted input, enabling cross-origin data leakage. The vulnerability existed in Chrome versions prior to 149.0.7827.103. Exploitation requires an attacker to have already gained code execution in the renderer process—a privileged execution context within the browser sandbox—and then serve a specially crafted HTML page to the victim. Under these conditions, the attacker could read data from origins other than the crafted page, violating the same-origin policy that normally isolates web content.
Business impact
The business risk is moderate but contingent on prior compromise. Organizations where employees use Chrome face exposure only if an attacker has already successfully compromised the renderer process through another vulnerability or attack vector. The secondary step of crafting a malicious page and steering users to it is relatively straightforward once renderer access is obtained. For enterprises running Chrome on unpatched systems, this creates a chaining risk: a first vulnerability could be leveraged alongside this one to escalate data theft. Affected users could have sensitive information from cross-origin sites exposed, including session tokens, form data, or other confidential content.
Affected systems
The vulnerability affects Google Chrome prior to version 149.0.7827.103 across Windows, macOS, and Linux systems. The listing also includes Linux kernel and Windows as affected platforms, likely because Chrome runs on those operating systems; however, the vulnerability is specific to Chrome itself. Any installation of Chrome below the patched version 149.0.7827.103 on any of these platforms should be considered at risk.
Exploitability
Exploitability is constrained but not negligible. An attacker must first achieve renderer process compromise—a significant barrier that typically requires exploiting a separate vulnerability. Once renderer access is obtained, the attack surface simplifies: the attacker crafts a malicious HTML page and must convince the user to navigate to it (user interaction is required per the CVSS vector). The attack is not a one-click remote code execution; it is a post-compromise technique that extends the damage of an already-successful attack. The CVSS score of 3.1 reflects these prerequisites, though the internal Chromium severity of High underscores that defenders should not underestimate the impact once a renderer is compromised.
Remediation
Update Google Chrome to version 149.0.7827.103 or later. Chrome's auto-update mechanism should handle deployment, but verify the version in Chrome Settings > About Google Chrome to confirm. Users and administrators should enable automatic updates and restart the browser to activate the patched version. No workarounds are documented; patching is the required remediation.
Patch guidance
Patch Chrome to 149.0.7827.103 or later at your earliest convenience. While the CVSS score is low, the requirement that an attacker must first compromise the renderer process means this vulnerability is typically part of a multi-stage attack. Prioritize patching in environments where other high-severity Chrome vulnerabilities have been found or if you have indicators of renderer-exploitation attempts. Verify the update installation by navigating to Chrome Settings > About Google Chrome; the browser will display the installed version and confirm if it is up to date.
Detection guidance
Detection is difficult because the vulnerability manifests as suspicious cross-origin data access within an already-compromised renderer process. Monitor for unexpected data exfiltration or unusual cross-site requests originating from Chrome processes. Behavioral signals include: users visiting untrusted or suspicious web pages followed by data access anomalies, or Chrome processes making unexpected network connections to attacker-controlled domains. Endpoint detection and response (EDR) tools may flag unusual inter-process communication or memory access patterns if they have visibility into renderer behavior. Log authentication events and session activity for signs of compromised accounts that could result from stolen credentials accessed via this vulnerability.
Why prioritize this
This vulnerability merits prompt but not emergency attention. The CVSS score of 3.1 places it at low priority in isolation, but the Chromium High severity rating and the risk of chaining with other vulnerabilities warrant timely patching. Organizations should batch this update with other Chrome security patches in a regular maintenance cycle. If your environment has evidence of renderer-exploitation attempts or if you are running other unpatched high-risk Chrome vulnerabilities, elevate the priority of this patch.
Risk score, explained
The CVSS 3.1 score of 3.1 (Low severity) reflects the requirement that an attacker must already control the renderer process (a significant prerequisite) and that the user must interact with a crafted page. The attack vector is network-based, but access is not adjacent and user interaction is required, both of which reduce the score. The confidentiality impact is limited (reading cross-origin data), and there is no integrity or availability impact. However, the Chromium team's High internal severity rating acknowledges that once the renderer is compromised—via an unrelated vulnerability—this flaw becomes a powerful tool for escalating data theft, justifying timely remediation despite the low CVSS score.
Frequently asked questions
Can this vulnerability be exploited without first compromising the renderer process?
No. The vulnerability requires that an attacker has already achieved code execution in Chrome's renderer process. The renderer is the sandboxed component that executes web content. Without prior renderer compromise, the flaw is not exploitable. This is why the attack vector in the CVSS score is rated 'High' complexity.
What is the difference between the CVSS Low score and Chromium's High severity rating?
CVSS scores are calculated using defined criteria and reflect the technical difficulty and impact of exploitation as a standalone flaw. Chromium's internal severity assessment considers the vulnerability's role in attack chains and its impact once the renderer is compromised. A CVSS Low score does not mean the vulnerability is unimportant; it means the barrier to exploitation is high. In this case, the barrier is the need for prior renderer compromise. Once that condition is met, the flaw becomes dangerous, which is why Chromium rated it High.
Does auto-update ensure I am protected against this vulnerability?
If Chrome auto-updates are enabled (the default), the browser should automatically download and install version 149.0.7827.103 or later. However, the patch takes effect only after restart. Verify protection by opening Chrome Settings > About Google Chrome and confirming the version is 149.0.7827.103 or higher. If the version is still below 149.0.7827.103, restart the browser and check again.
Are there any known public exploits for this vulnerability?
The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog, indicating no evidence of active exploitation in the wild at the time of reporting. However, the security community should assume that once detailed technical information is published, exploit development becomes a realistic threat. Patching promptly reduces the window of opportunity for attackers to develop and deploy working exploits.
This analysis is provided for informational purposes and reflects the security data available as of the publication date. While every effort is made to ensure accuracy, SEC.co does not guarantee the completeness or timeliness of vulnerability remediation information. Consult official vendor advisories and security bulletins from Google Chrome for authoritative patch details and deployment guidance. Organizations should conduct their own risk assessment based on their specific environment, threat model, and asset criticality. This content does not constitute legal, compliance, or professional security advice. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-11240LOWChrome Site Isolation Bypass – Low-Severity Input Validation Flaw
- CVE-2026-11244LOWChrome WebAuthentication Input Validation Bypass
- CVE-2026-11251LOWChrome Password Manager Policy Enforcement Flaw
- CVE-2026-11675LOWChrome Skia Out-of-Bounds Read Leading to Cross-Origin Data Leak
- CVE-2026-10004MEDIUMChrome UI Spoofing Vulnerability – Password Dialog Hijacking
- CVE-2026-10021HIGHGoogle Chrome USB Validation Flaw – RCE Vulnerability Patch
- CVE-2026-10904HIGHChrome V8 Sandbox Escape Remote Code Execution
- CVE-2026-10911HIGHChrome Sandbox Escape Vulnerability (High Severity)