CVE-2026-11162 in Chrome
Summary
by MITRE • 06/05/2026
Inappropriate implementation in CSS in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 06/05/2026
This vulnerability represents a cross-origin resource sharing issue within the Cascading Style Sheets implementation of google chrome browser. The flaw stems from insufficient validation mechanisms in how the browser handles css properties and cross-origin resource requests. Attackers could craft malicious html pages that exploit improper boundary checking in css parsing, allowing unauthorized access to data from different origins. The vulnerability specifically affects chrome versions prior to 149.0.7827.53 and falls under the chromium security severity classification of medium risk. The technical implementation error occurs during css processing when the browser fails to properly enforce same-origin policies for certain css properties that can trigger cross-origin requests. This type of vulnerability aligns with common weakness enumeration cwe-200 which deals with information exposure through improper information gathering and processing. The attack vector involves delivering malicious content through web pages that leverage css features to access resources from different domains without proper authorization. The operational impact includes potential data leakage from cross-origin resources, which could expose sensitive information such as user data, session tokens, or private content from other websites. This vulnerability can be exploited through social engineering techniques where users visit compromised websites that contain the malicious css code. The attack follows patterns consistent with attack technique t1566 which involves phishing and malicious website delivery methods. Organizations using older chrome versions remain at risk as the fix requires updating to the patched version. The remediation involves implementing proper origin validation mechanisms in css processing and ensuring that cross-origin requests are properly restricted according to web security standards. Browser vendors should implement comprehensive input validation for css properties and maintain strict enforcement of cross-origin resource sharing policies to prevent similar issues in future implementations. This vulnerability demonstrates the importance of maintaining up-to-date browser software and implementing robust security controls to prevent information disclosure attacks. The fix addresses the core issue of insufficient boundary checking in css parsing routines and ensures that proper cross-origin restrictions are enforced for all css properties that may trigger external resource requests. Security teams should prioritize patch management for chrome browser installations to mitigate this medium severity vulnerability that could lead to unauthorized data access across different web origins.