Description
Insufficient policy enforcement in Paint in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to bypass same origin policy via a crafted HTML page. (Chromium security severity: Medium)
Published: 2026-06-04
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability in Google Chrome arises from insufficient policy enforcement within the Paint component, a flaw that aligns with CWE-639 and CWE-79, allowing a remote attacker to evade the same-origin policy by serving a specially crafted HTML page. This flaw enables the attacker to access resources that should be restricted to the page’s origin, potentially exposing private data or executing code in a trusted context. The issue was identified in Chrome versions prior to 149.0.7827.53.

Affected Systems

The affected product is Google Chrome, with versions older than 149.0.7827.53 vulnerable on all platforms. The advisory targets the stable channel but the defect exists in the underlying browser engine, so any instance using those earlier releases is at risk.

Risk and Exploitability

Risk assessment shows a Medium Chromium severity rating. The CVSS score of 6.5 and EPSS score of < 1% indicate a moderate risk level with a very low probability of exploitation, and the vulnerability is not currently listed in the CISA KEV catalog, suggesting that widespread attacks are unlikely at present. Nevertheless, the attack vector requires only a malicious webpage and no privileged access, making remote exploitation straightforward for an attacker with the ability to serve crafted content to victims. The absence of a high CVSS score does not eliminate the need for timely patching, especially for environments that handle sensitive data.

Generated by OpenCVE AI on June 7, 2026 at 16:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Google Chrome to version 149.0.7827.53 or later, which corrects the missing policy enforcement flaw identified as CWE-639 and CWE-79.
  • Enable automatic updates or configure system policies to ensure the latest Chrome release is installed promptly.
  • If a patch cannot be applied immediately, block or restrict the Paint API through Chrome’s content‑security‑policy or by disabling the component via flags.

Generated by OpenCVE AI on June 7, 2026 at 16:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6325-1 chromium security update
History

Mon, 08 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows
CPEs cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows

Sun, 07 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Title Same-Origin Policy Bypass via Paint Component in Google Chrome chromium-browser: Policy bypass in Paint
Weaknesses CWE-79
References
Metrics threat_severity

None

 threat_severity

Moderate

Sat, 06 Jun 2026 08:15:00 +0000

Type Values Removed Values Added
Title Same-Origin Policy Bypass via Paint Component in Google Chrome

Sat, 06 Jun 2026 06:15:00 +0000

Type Values Removed Values Added
Title Same-Origin Policy Bypass via Paint Module in Google Chrome
Weaknesses CWE-285

Sat, 06 Jun 2026 04:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-639
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 05 Jun 2026 06:15:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Fri, 05 Jun 2026 04:30:00 +0000

Type Values Removed Values Added
Title Same-Origin Policy Bypass via Paint Module in Google Chrome
Weaknesses CWE-285

Thu, 04 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Insufficient policy enforcement in Paint in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to bypass same origin policy via a crafted HTML page. (Chromium security severity: Medium)
References

Subscriptions

Apple Macos
Google Chrome
Linux Linux Kernel
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-06T03:37:31.281Z

Reserved: 2026-06-04T17:10:27.840Z

Link: CVE-2026-11142

cve-icon Vulnrichment

Updated: 2026-06-06T03:37:25.456Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-04T23:17:20.427

Modified: 2026-06-08T14:23:23.410

Link: CVE-2026-11142

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-02T00:00:00Z

Links: CVE-2026-11142 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-07T16:15:03Z

Weaknesses
  • CWE-639

    Authorization Bypass Through User-Controlled Key

  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')