Description
Inappropriate implementation in Media Session in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to bypass same origin policy via a crafted HTML page. (Chromium security severity: Medium)
Published: 2026-06-04
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An inappropriate implementation in the Media Session API of Google Chrome prior to version 149.0.7827.53 allows a remote attacker to construct a crafted HTML page that bypasses the same origin policy. The flaw enables a malicious site to access or interact with resources that should be confined to a different origin, potentially exposing sensitive data or facilitating further attacks. Chromium assesses the severity of this issue as medium.

Affected Systems

Google Chrome browsers running any version earlier than 149.0.7827.53 are affected. No other vendors or products are listed.

Risk and Exploitability

The exploit requires the attacker to deliver a crafted HTML page that leverages the Media Session API; thus the attack vector is likely remote via a web page that the attacker can host or serve. Based on the description, this inference is made. The CVSS score of 6.3 indicates medium severity, while an EPSS score of <1% suggests a low likelihood of exploitation at present. The vulnerability is not listed in CISA KEV, meaning no confirmed public exploitation has been reported. Until a patch is applied, users of affected Chrome versions remain at moderate risk of the policy bypass.

Generated by OpenCVE AI on June 5, 2026 at 20:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Google Chrome to version 149.0.7827.53 or newer.
  • Ensure that automatic updates are enabled, or manually check for updates if automatic updates are disabled.
  • If an immediate upgrade cannot be performed, consider disabling or restricting the Media Session API via enterprise policies or browser extensions until the fix is available.

Generated by OpenCVE AI on June 5, 2026 at 20:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6325-1 chromium security update
History

Tue, 09 Jun 2026 19:00:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows
CPEs cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows

Sun, 07 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Title Same Origin Policy Bypass via Media Session API in Google Chrome chromium-browser: Inappropriate implementation in Media Session
References
Metrics threat_severity

None

 threat_severity

Moderate

Fri, 05 Jun 2026 21:15:00 +0000

Type Values Removed Values Added
Title Same Origin Policy Bypass via Media Session API in Google Chrome

Fri, 05 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Title Google Chrome Media Session Same Origin Policy Bypass via Crafted Web Page
Weaknesses CWE-285

Fri, 05 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-346
Metrics cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 05 Jun 2026 06:45:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Fri, 05 Jun 2026 04:15:00 +0000

Type Values Removed Values Added
Title Google Chrome Media Session Same Origin Policy Bypass via Crafted Web Page
Weaknesses CWE-285

Thu, 04 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Inappropriate implementation in Media Session in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to bypass same origin policy via a crafted HTML page. (Chromium security severity: Medium)
References

Subscriptions

Apple Macos
Google Chrome
Linux Linux Kernel
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-05T16:15:21.589Z

Reserved: 2026-06-04T17:10:40.252Z

Link: CVE-2026-11181

cve-icon Vulnrichment

Updated: 2026-06-05T16:14:14.041Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-04T23:17:25.013

Modified: 2026-06-09T18:47:17.767

Link: CVE-2026-11181

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-02T00:00:00Z

Links: CVE-2026-11181 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T21:00:05Z

Weaknesses