Description
Side-channel information leakage in Forms in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)
Published: 2026-06-04
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a side‑channel information leakage flaw in the Chrome Forms component. By loading a specially crafted HTML page, a remote attacker can cause Chrome to expose data that belongs to a different origin, effectively leaking confidential information from a user’s session. This is a CWE‑1300 and CWE‑205 type weakness and constitutes a data‑exposure risk.

Affected Systems

Google Chrome users with versions earlier than 149.0.7827.53 are affected. The flaw exists in the stable channel of the browser and any instance that has not received the latest security update is vulnerable.

Risk and Exploitability

The vulnerability is not listed in CISA’s KEV catalog and its EPSS score is less than 1%, indicating low current exploitation probability. The attack requires a user to visit a malicious webpage that triggers the side‑channel; once the page is rendered, cross‑origin data can be read. The CVSS score of 9.1 indicates high severity, and the potential impact could be substantial if sensitive data is exposed. No public exploit code is currently known.

Generated by OpenCVE AI on June 7, 2026 at 14:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Google Chrome to version 149.0.7827.53 or later via the official update channel.
  • Deploy the update to all managed devices using your enterprise update management tooling to minimize the window of exposure.
  • Continuously monitor Chrome release notes and security advisories to stay current on future mitigations and patches.

Generated by OpenCVE AI on June 7, 2026 at 14:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6325-1 chromium security update
History

Mon, 08 Jun 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows
CPEs cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows

Sun, 07 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Title chromium-browser: Side-channel information leakage in Forms
Weaknesses CWE-205
References
Metrics threat_severity

None

 threat_severity

Moderate

Fri, 05 Jun 2026 20:15:00 +0000

Type Values Removed Values Added
Title Cross‑Origin Form Data Leakage via Crafted HTML Page in Chrome

Fri, 05 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 05 Jun 2026 05:15:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Fri, 05 Jun 2026 04:15:00 +0000

Type Values Removed Values Added
Title Cross‑Origin Form Data Leakage via Crafted HTML Page in Chrome

Thu, 04 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Side-channel information leakage in Forms in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)
Weaknesses CWE-1300
References

Subscriptions

Apple Macos
Google Chrome
Linux Linux Kernel
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-05T17:53:07.272Z

Reserved: 2026-06-04T17:10:31.663Z

Link: CVE-2026-11153

cve-icon Vulnrichment

Updated: 2026-06-05T17:52:54.943Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-04T23:17:21.723

Modified: 2026-06-08T14:56:12.980

Link: CVE-2026-11153

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-02T00:00:00Z

Links: CVE-2026-11153 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-07T15:00:13Z

Weaknesses
  • CWE-1300

    Improper Protection of Physical Side Channels

  • CWE-205

    Observable Behavioral Discrepancy