CVE-2026-11686 Google CVE debrief

Who should care

Users of Google Chrome on macOS, particularly those who may be targeted by remote attackers, should be aware of this vulnerability. Additionally, administrators and security teams responsible for managing Chrome deployments should prioritize patching to prevent exploitation.

Technical summary

The vulnerability exists in the Dawn component of Google Chrome on macOS. Dawn is a part of the Chromium project, which is the open-source foundation for Google Chrome. The issue arises from insufficient validation of untrusted input, which can be exploited by a remote attacker who has compromised the renderer process. This can lead to the leakage of cross-origin data via a specially crafted HTML page.

Defensive priority

High

Recommended defensive actions

• Update Google Chrome to version 149.0.7827.103 or later to patch the vulnerability.
• Ensure that Chrome is configured to automatically update to the latest version.
• Users and administrators should be cautious when visiting untrusted websites or clicking on links from unknown sources to reduce the risk of exploitation.

Evidence notes

The CVE-2026-11686 vulnerability was published on June 9, 2026, and modified on the same day. The vulnerability affects Google Chrome on macOS versions prior to 149.0.7827.103. The CVSS vector for this vulnerability is CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N.

Official resources