How is CVE-2026-11255 exploited?

Network reachability (required): The attacker must be able to reach the target over the network, as the exploit is delivered via a crafted HTML page served remotely. Authentication (not-required): No account or credentials are needed; the attacker only needs to get the target to load the malicious page. Victim interaction (not-required): No user interaction beyond ordinary browsing is required, though the attacker must first have compromised the renderer process. Attack complexity (info): Attack complexity is rated Low, meaning the exploit is reliable and does not depend on race conditions or specific environmental layout, aside from the prerequisite of a compromised renderer.

What is the impact of CVE-2026-11255?

A successful attacker reads data belonging to other origins that the compromised Chrome renderer would not normally be permitted to access. Cross-origin data exposed may include session tokens, authentication cookies, or page content from other sites open in the same browser. Integrity and availability of the affected system are not impacted; the exploit is limited to confidentiality loss.

Back to search

HIGHCVE-2026-11255Published 2026-06-04Modified 2026-06-05CNA Chrome

CVE-2026-11255: Insufficient validation of untrusted input in Storage Access API in Google Chrome prior to 149

Insufficient validation of untrusted input in Storage Access API in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low)

CVSS v3.1: 7.5
Severity: HIGH
Fixed in: 149.0.7827.53
Affected Products: 1

HarborGuard Analysis

Synopsis

Insufficient input validation in the Storage Access API in Google Chrome prior to version 149.0.7827.53 allows a remote attacker who has already compromised the renderer process to read cross-origin data by serving a crafted HTML page. The vulnerability is reachable over the network with no authentication required and no victim interaction needed beyond browsing, and successful exploitation results in disclosure of data from other origins. A patched-image rebuild at version 149.0.7827.53 is available on HarborGuard for environments running an affected Chrome version.

HarborGuard Coverage

Detection

Detection of CVE-2026-11255 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against images in customer registries and CI/CD pipelines, including custom-built images that bundle a Chrome or Chromium binary.

Available

Triage

HarborGuard is capable of scoring this finding at CVSS 7.5 (High) and weighting it against each customer environment's compliance policy to determine urgency. Triage results are routed to the appropriate team inbox within each customer org based on configured ownership rules.

Available

Patch

A patched-image rebuild at Chrome 149.0.7827.53 becomes available on HarborGuard for any image found to carry an affected version. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite, and opens a pull request against affected workloads.

Available

Exploit Conditions

Network reachabilityRequired
The attacker must be able to reach the target over the network, as the exploit is delivered via a crafted HTML page served remotely.
AuthenticationNot required
No account or credentials are needed; the attacker only needs to get the target to load the malicious page.
Victim interactionNot required
No user interaction beyond ordinary browsing is required, though the attacker must first have compromised the renderer process.
Attack complexityDetail
Attack complexity is rated Low, meaning the exploit is reliable and does not depend on race conditions or specific environmental layout, aside from the prerequisite of a compromised renderer.

Blast Radius

A successful attacker reads data belonging to other origins that the compromised Chrome renderer would not normally be permitted to access.
Cross-origin data exposed may include session tokens, authentication cookies, or page content from other sites open in the same browser.
Integrity and availability of the affected system are not impacted; the exploit is limited to confidentiality loss.

How HarborGuard Handles This

Available on HarborGuard: any image scanned that bundles a Chrome or Chromium binary older than 149.0.7827.53 will be flagged against this CVE. For customers who opt into auto-remediation, HarborGuard rebuilds the image at the patched version, runs a regression test, and opens a pull request against affected workloads; for High-severity issues, the median time from CVE publication to a merged patch PR in auto-remediation environments is around 90 minutes. Where compliance policy requires manual approval, the finding is queued and routed to the configured owner inbox with CVSS scoring and policy weighting attached. Note that this vulnerability requires a renderer-process compromise as a prerequisite, so compensating controls such as restricting untrusted web content in containerized Chrome deployments can reduce practical exposure in the interim.

See how HarborGuard automates this

Fix available

149.0.7827.53

Affected packages

Google / Chrome
< 149.0.7827.53 (from 149.0.7827.53)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available