CVE-2026-11156 in Chrome
Summary
by MITRE • 06/05/2026
Inappropriate implementation in CSS in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 06/05/2026
This vulnerability represents a cross-origin resource sharing issue within the Cascading Style Sheets implementation of google chrome browser. The flaw stems from improper handling of css properties and their interaction with cross-origin resources, allowing malicious actors to craft specific html pages that can extract sensitive data from different origins. The vulnerability exists in versions prior to 149.0.7827.53 and falls under the chromium security severity classification of medium risk. The technical implementation error occurs when chrome processes css rules that reference resources from different domains, creating potential information disclosure pathways. This type of vulnerability directly relates to common weakness enumeration 120 which covers weaknesses in input handling and data flow control. The attack vector involves a remote malicious actor who can construct a crafted html page containing specific css properties that trigger the information leak when rendered in the vulnerable browser version.
The operational impact of this vulnerability extends beyond simple data leakage as it enables attackers to gather sensitive cross-origin information that could include user data, session tokens, or other confidential resources. When a user visits a malicious website, the crafted css can trigger the browser to make requests or expose data that should normally be restricted due to cross-origin policies. This represents a significant concern for web application security and user privacy, as it allows attackers to bypass normal security boundaries that should protect resources from unauthorized access. The vulnerability essentially undermines the browser's security model by creating a pathway for information disclosure that should not exist. According to attack technique 1190 in the attack tree framework, this falls under the category of information gathering through web-based attacks that exploit browser implementation flaws.
Mitigation strategies for this vulnerability require immediate patching of affected chrome versions to the secure release 149.0.7827.53 or later. Organizations should implement comprehensive browser update policies to ensure all users have the latest security patches. Additionally, network administrators can deploy web application firewalls that monitor for suspicious css patterns and cross-origin resource requests. The implementation of strict content security policies can help prevent malicious css from being executed, while browser security hardening measures such as disabling unnecessary css features can reduce attack surface. Security teams should also monitor for indicators of compromise related to this vulnerability and implement proper incident response procedures. Organizations should consider using browser security extensions or enterprise browser management tools that can enforce additional security restrictions on css processing. The vulnerability demonstrates the critical importance of maintaining up-to-date browser security implementations and highlights the need for continuous security monitoring of web application environments.