Cyber Resilience

CVE-2026-11153

CriticalUpdated

Published: 04 June 2026

Published
04 June 2026
Modified
17 June 2026
KEV Added
Patch
CVSS Score v3.1 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.0026 17.8th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-11153 is a critical-severity Improper Protection of Physical Side Channels (CWE-1300) vulnerability in Google Chrome. Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Browser Session Hijacking (T1185); ranked at the 17.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

Side-channel information leakage in Forms in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1185 Browser Session Hijacking Collection
Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.
T1539 Steal Web Session Cookie Credential Access
An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials.
T1555.003 Credentials from Web Browsers Credential Access
Adversaries may acquire credentials from web browsers by reading files specific to the target browser.
Why these techniques?

Side-channel cross-origin form data leakage in browser directly enables session hijacking, web cookie theft, and extraction of browser-stored credentials.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

Affected Assets

google
chrome
≤ 149.0.7827.53

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References