Description
Insufficient validation of untrusted input in Storage Access API in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low)
Published: 2026-06-04
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Google Chrome’s Storage Access API accepts untrusted input without adequate validation, enabling a remote attacker who has already compromised the renderer process to construct a crafted HTML page that can read and leak cross‑origin data. This flaw falls under CWE‑20 – Improper Input Validation, and its primary consequence is the loss of data confidentiality.

Affected Systems

Google Chrome versions prior to 149.0.7827.53 are affected. The vulnerability exists in the Storage Access API implementation in the renderer component.

Risk and Exploitability

The CVSS score for this vulnerability is 7.5, which falls into the high severity range. The CVE is rated low in Chromium’s own severity assessment, and exploitability metrics are not publicly disclosed, which suggests limited exploitation likelihood. The flaw requires that the attacker first compromise the renderer process, meaning a successful exploitation path would involve a broader privilege escalation attack. The vulnerability is not listed in CISA’s KEV catalog, further indicating a lower immediate threat. Nonetheless, any compromise that grants renderer access could lead to cross‑origin data leaks, so organizations should evaluate the risk of renderer process exploitation in their environment.

Generated by OpenCVE AI on June 5, 2026 at 13:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Google Chrome to version 149.0.7827.53 or later.
  • Disable the use of the Storage Access API for untrusted sites via policy or content settings to prevent cross‑origin data access.
  • Apply least privilege to the renderer process and monitor for compromise indicators to limit the impact of a potential renderer exploitation.

Generated by OpenCVE AI on June 5, 2026 at 13:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 05 Jun 2026 13:45:00 +0000

Type Values Removed Values Added
Title Storage Access API Improper Validation Enables Cross‑Origin Data Leakage

Fri, 05 Jun 2026 11:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 05 Jun 2026 01:45:00 +0000

Type Values Removed Values Added
Title Storage Access API Improper Validation Enables Cross‑Origin Data Leakage

Fri, 05 Jun 2026 01:00:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Thu, 04 Jun 2026 23:45:00 +0000

Type Values Removed Values Added
Description Insufficient validation of untrusted input in Storage Access API in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low)
Weaknesses CWE-20
References

Subscriptions

Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-05T11:01:54.797Z

Reserved: 2026-06-04T17:11:06.045Z

Link: CVE-2026-11255

cve-icon Vulnrichment

Updated: 2026-06-05T11:00:28.151Z

cve-icon NVD

Status : Received

Published: 2026-06-05T00:17:02.100

Modified: 2026-06-05T12:16:37.083

Link: CVE-2026-11255

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T13:30:36Z

Weaknesses