CVE-2026-11289
CVE-2026-11289
In short
A flaw in Google Chrome's Paint feature allows an attacker to create a specially crafted webpage that can reveal private data from other websites you're visiting. This happens through subtle timing or behavioral patterns that shouldn't be visible across different websites.
Technical detail
A side-channel vulnerability in Chrome's Paint component prior to version 149.0.7827.53 enables cross-origin data leakage through a crafted HTML page. The attack exploits information observable through timing or rendering behavior differences, allowing an attacker to infer sensitive data from other origins without direct access. Remediation requires updating to the patched version.
Summary generated and translated by AI from the official description.
Side-channel information leakage in Paint in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Affected products
Google · ChromeWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →