Description
Insufficient validation of untrusted input in Dawn in Google Chrome on macOS prior to 149.0.7827.103 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)
Published: 2026-06-08
Score: 3.1 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from insufficient validation of untrusted input in the Dawn rendering engine in Google Chrome on macOS. A remote attacker who has already compromised the renderer process can use a specially crafted HTML page to read data from other origins, which would normally be protected by the same‑origin policy. This leads to unauthorized disclosure of private or sensitive data, classified as a high‑severity flaw by Chromium.

Affected Systems

Google Chrome for macOS versions prior to 149.0.7827.103 are affected. Any workstation or device running these versions could be exploited by an attacker who gains renderer privileges.

Risk and Exploitability

The flaw carries a high severity rating from Chromium, with a CVSS score of 3.1, indicating a low overall network severity, and is not yet listed in the CISA KEV catalog. Because EPSS information is unavailable, the exact likelihood of public exploitation is unknown, but the need to compromise the renderer isolation beforehand limits the attack surface. If an attacker succeeds in bypassing the renderer isolation, they can leak cross‑origin data through malicious webpages.

Generated by OpenCVE AI on June 9, 2026 at 03:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install Chrome update 149.0.7827.103 or later on all affected macOS systems.
  • Verify that Chrome’s automatic update mechanism is enabled so future patches are applied without manual intervention.
  • Monitor for anomalous renderer activity and enforce strict site isolation policies if available.

Generated by OpenCVE AI on June 9, 2026 at 03:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 09 Jun 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple macos
CPEs cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
Vendors & Products Apple
Apple macos

Tue, 09 Jun 2026 04:15:00 +0000

Type Values Removed Values Added
Title Chrome macOS Renderer Data Leakage via Insufficient Input Validation

Tue, 09 Jun 2026 02:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 3.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 09 Jun 2026 01:00:00 +0000

Type Values Removed Values Added
Title Chrome macOS Renderer Data Leakage via Insufficient Input Validation
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Mon, 08 Jun 2026 23:45:00 +0000

Type Values Removed Values Added
Description Insufficient validation of untrusted input in Dawn in Google Chrome on macOS prior to 149.0.7827.103 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)
Weaknesses CWE-20
References

Subscriptions

Apple Macos
Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-09T01:22:53.886Z

Reserved: 2026-06-08T21:33:53.097Z

Link: CVE-2026-11686

cve-icon Vulnrichment

Updated: 2026-06-09T01:22:39.144Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-09T00:16:52.000

Modified: 2026-06-09T14:52:00.360

Link: CVE-2026-11686

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T04:00:14Z

Weaknesses