Description
Side-channel information leakage in Paint in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low)
Published: 2026-06-04
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in the Paint component of Google Chrome prior to version 149.0.7827.53 enables a side‑channel information leak. By serving a maliciously crafted HTML page, a remote attacker can extract data from other origins that the browser processes, violating confidentiality. The weakness is classified as CWE‑1300 and is considered low severity by Chromium security.

Affected Systems

Google Chrome (stable channel) releases before 149.0.7827.53 are affected. Users running these versions on any operating system are vulnerable if they open a crafted HTML page that utilizes the Paint API.

Risk and Exploitability

The EPSS score is unavailable and the vulnerability is not listed in CISA’s KEV catalog, indicating no known widespread exploitation yet. However, because the attack vector is a standard web page, any user who visits a malicious site can be impacted. The low severity rating reflects the limited impact scope relative to other Chrome flaws, but the knowledge that sensitive data could cross origin boundaries is still significant.

Generated by OpenCVE AI on June 5, 2026 at 00:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Google Chrome to version 149.0.7827.53 or later.
  • Configure Chrome policies to disable or restrict the Paint API for untrusted content, if policy support is available.
  • Apply strict Content‑Security‑Policy headers on your web pages to prevent cross‑origin data exposure.

Generated by OpenCVE AI on June 5, 2026 at 00:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 05 Jun 2026 01:15:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Fri, 05 Jun 2026 01:00:00 +0000

Type Values Removed Values Added
Title Side-Channel Leak in Chrome Paint Allows Cross-Origin Data Leakage via Crafted Page

Thu, 04 Jun 2026 23:45:00 +0000

Type Values Removed Values Added
Description Side-channel information leakage in Paint in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low)
Weaknesses CWE-1300
References

Subscriptions

Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-04T23:06:20.159Z

Reserved: 2026-06-04T17:11:16.729Z

Link: CVE-2026-11289

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-05T00:17:06.440

Modified: 2026-06-05T00:17:06.440

Link: CVE-2026-11289

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T01:00:14Z

Weaknesses