CVE-2026-11289 - Vulnerability Details

- chromium-browser: Side-channel information leakage in Paint

Description

Side-channel information leakage in Paint in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low)

Published: 2026-06-04

Score: 6.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A flaw in the Paint component of Google Chrome prior to version 149.0.7827.53 enables a side‑channel information leak. By serving a maliciously crafted HTML page, a remote attacker can extract data from other origins that the browser processes, violating confidentiality. The weakness is classified as CWE‑1300, CWE‑203, and CWE‑205 and is considered low severity by Chromium security.

Affected Systems

Google Chrome (stable channel) releases before 149.0.7827.53 are affected. Users running these versions on any operating system are vulnerable if they open a crafted HTML page that utilizes the Paint API.

Risk and Exploitability

The EPSS score is < 1% and the vulnerability is not listed in CISA’s KEV catalog, indicating no known widespread exploitation yet. However, because the attack vector is a standard web page, any user who visits a malicious site can be impacted. The CVSS score of 6.5 indicates moderate risk beyond the previously considered low severity by Chromium security, but the knowledge that sensitive data could cross origin boundaries remains significant.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Google

Chrome

affected

Version	Status	Constraints
`149.0.7827.53`	affected	< 149.0.7827.53

Configuration 1 [-]

AND

cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*

OR	cpe:2.3:o:apple:macos:-:::::::*
	cpe:2.3:o:linux:linux_kernel:-:::::::*
	cpe:2.3:o:microsoft:windows:-:::::::*

No data.

Vendor Product Confidence Versions

Google

Chrome

100%

Version	Status	Scheme	Platform
`[149.0.7827.53,149.0.7827.53)`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Google Chrome to version 149.0.7827.53 or later.
Configure Chrome policies to disable or restrict the Paint API for untrusted content, if policy support is available.
Apply strict Content‑Security‑Policy headers on your web pages to prevent cross‑origin data exposure.

Generated by OpenCVE AI on June 7, 2026 at 15:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Debian DSA	DSA-6325-1	chromium security update

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00197.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html
https://issues.chromium.org/issues/502239897
https://nvd.nist.gov/vuln/detail/CVE-2026-11289
https://www.cve.org/CVERecord?id=CVE-2026-11289

History

Tue, 09 Jun 2026 14:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Apple Apple macos Linux Linux linux Kernel Microsoft Microsoft windows
CPEs		cpe:2.3:a:google:chrome:::::::: cpe:2.3:o:apple:macos:-:::::::* cpe:2.3:o:linux:linux_kernel:-:::::::* cpe:2.3:o:microsoft:windows:-:::::::*
Vendors & Products		Apple Apple macos Linux Linux linux Kernel Microsoft Microsoft windows

Sun, 07 Jun 2026 12:15:00 +0000

Type	Values Removed	Values Added
Title		chromium-browser: Side-channel information leakage in Paint
Weaknesses		CWE-205
References		https://nvd.nist.gov/vuln/detail/CVE-2026-11289 https://www.cve.org/CVERecord?id=CVE-2026-11289
Metrics	threat_severity `None`	threat_severity `Low`

Fri, 05 Jun 2026 21:15:00 +0000

Type	Values Removed	Values Added
Title	Side-Channel Leak in Chrome Paint Allows Cross-Origin Data Leakage via Crafted Page

Fri, 05 Jun 2026 19:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-203
Metrics		cvssV3_1 `{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N'}` ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 05 Jun 2026 01:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Google Google chrome
Vendors & Products		Google Google chrome

Fri, 05 Jun 2026 01:00:00 +0000

Type	Values Removed	Values Added
Title		Side-Channel Leak in Chrome Paint Allows Cross-Origin Data Leakage via Crafted Page

Thu, 04 Jun 2026 23:45:00 +0000

Type	Values Removed	Values Added
Description		Side-channel information leakage in Paint in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low)
Weaknesses		CWE-1300
References		https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/502239897

Subscriptions

Apple Macos

Google Chrome

Linux Linux Kernel

Microsoft Windows

MITRE

Status: PUBLISHED

Assigner: Chrome

Published: 2026-06-04T23:06:20.159Z

Updated: 2026-06-05T19:00:49.592Z

Reserved: 2026-06-04T17:11:16.729Z

Link: CVE-2026-11289

Vulnrichment

Updated: 2026-06-05T19:00:39.776Z

NVD

Status : Analyzed

Published: 2026-06-05T00:17:06.440

Modified: 2026-06-09T13:58:32.577

Link: CVE-2026-11289

Redhat

Severity : Low

Publid Date: 2026-06-02T00:00:00Z

Links: CVE-2026-11289 - Bugzilla

OpenCVE Enrichment

Updated: 2026-06-07T15:45:03Z

Weaknesses

CWE-1300
Improper Protection of Physical Side Channels
CWE-203
Observable Discrepancy
CWE-205
Observable Behavioral Discrepancy

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction Required

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object