MEDIUM 6.5

CVE-2026-11019: Chrome Android Payments Domain Spoofing Vulnerability

A vulnerability in Google Chrome's payments implementation on Android allows an attacker who has already compromised the browser's rendering engine to trick users into believing they are interacting with a legitimate website when they are actually on a fraudulent one. The attacker would craft a deceptive HTML page that spoofs the domain name displayed to the user, potentially leading to credential theft, payment fraud, or other social engineering attacks. This requires an initial compromise of the renderer process, which limits the immediate exposure but represents a serious escalation risk once that initial foothold is established.

Source data · NVD / CISA · public domain

CVSS
3.1 · 6.5 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Weaknesses (CWE)
CWE-290, CWE-451
Affected products
2 configuration(s)
Published / Modified
2026-06-04 / 2026-06-17

NVD description (verbatim)

Inappropriate implementation in Payments in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to perform domain spoofing via a crafted HTML page. (Chromium security severity: Medium)

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-11019 stems from an inappropriate implementation of domain verification in Chrome's payments subsystem on Android. The vulnerability allows domain spoofing through crafted HTML payloads when the renderer process has been compromised. The attack leverages improper handling of domain identity checks (CWE-290: Incorrect Ownership Assignment) and mismatched data and control flow (CWE-451), enabling a remote attacker to present false domain information to the user interface. The vulnerability is network-accessible and requires no special privileges, though it does depend on prior renderer compromise—a significant but realistic constraint in multi-process browser architectures where renderer isolation is a known attack surface.

Business impact

From a business perspective, this vulnerability threatens the integrity of payment and transaction workflows on Android devices running affected Chrome versions. Users could be deceived into entering payment information or credentials on what appears to be a trusted merchant site but is actually controlled by an attacker. Organizations that rely on Chrome for secure transactions—particularly those with mobile-first or BYOD policies—face elevated fraud and reputation risk. The domain spoofing capability could also enable phishing campaigns targeting high-value users, with the attacker leveraging the initial renderer compromise (obtained through separate exploits or malware) to establish a secondary foothold for social engineering. Financial institutions and e-commerce platforms should assess their exposure to Chrome-based payment fraud.

Affected systems

Google Chrome on Android versions prior to 149.0.7827.53 are vulnerable. The vulnerability is specific to the Android platform and the payments subsystem within Chrome. Desktop and iOS versions of Chrome are not addressed in this CVE. Organizations and users running Android devices with Chrome versions 149.0.7827.52 and earlier should be considered at risk if they also face threats from renderer-compromise exploits. The impact on enterprise Android deployments depends on Chrome's role in payment or sensitive transaction workflows and the likelihood of renderer-process compromise in the threat model.

Exploitability

Exploitation requires two preconditions: (1) the attacker must have already compromised the Chrome renderer process, and (2) the user must visit a crafted HTML page served by the attacker. The CVSS vector (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N) reflects network accessibility and low attack complexity, but the requirement for renderer compromise and user interaction limits opportunistic exploitation. This is not a zero-click vulnerability and does not appear in the CISA KEV catalog, indicating no widespread active exploitation has been reported as of the modification date. However, the vulnerability is significant for targeted attacks where an attacker has already gained code execution in the renderer (through a separate browser exploit, malware installation, or supply-chain compromise) and seeks to escalate to credential or payment fraud.

Remediation

Users and administrators should upgrade Google Chrome on Android to version 149.0.7827.53 or later. Verify the installed Chrome version in Settings > Apps > Google Chrome > About Chrome, where the browser will automatically check for updates and display the current version. For enterprise environments, Chrome updates on Android can be managed through Google Play for Work or other mobile device management (MDM) solutions. Additionally, organizations should evaluate and harden their defenses against renderer-process compromise, including sandboxing enforcement, exploit mitigation (ASLR, DEP), and regular security updates for the entire Android OS and firmware stack.

Patch guidance

Apply the Chrome update to version 149.0.7827.53 or later at your earliest convenience, prioritizing devices involved in payment processing or handling sensitive transactions. The patch addresses the domain-verification logic in the payments subsystem. Chrome on Android typically updates automatically through Google Play; verify completion by checking Settings > Apps > Google Chrome > About Chrome. If automatic updates are disabled in your environment, manually trigger the update or use MDM policies to enforce compliance. Test payment workflows and domain verification behavior after patching to confirm normal operation.

Detection guidance

Detection of exploitation attempts is challenging because the attack relies on user interaction with a crafted HTML page served after renderer compromise. Monitor for: (1) anomalous Chrome renderer process crashes or restarts, which may indicate exploitation attempts; (2) unusual network traffic from Chrome to non-whitelisted payment or phishing domains; (3) user reports of payment or credential submission on unexpected domains; (4) Chrome extension installations from untrusted sources, which could facilitate renderer compromise. Endpoint detection and response (EDR) tools with browser-process monitoring and network inspection capabilities are most effective. Additionally, maintain awareness of published renderer exploits and correlate them with this vulnerability to assess post-compromise risk in your environment.

Why prioritize this

Although this vulnerability carries a CVSS score of 6.5 (MEDIUM) and has not been flagged for active exploitation in the wild, it warrants prioritized attention for three reasons: (1) it directly threatens payment integrity and user credentials, amplifying business impact beyond typical medium-severity issues; (2) it affects a ubiquitous mobile browser used in both consumer and enterprise Android environments; (3) the dependency on renderer compromise—while limiting immediate risk—creates a chaining opportunity with other browser exploits, making it a high-value target for sophisticated attackers. Organizations with significant Android mobile deployments or payment workflows should treat this as a near-term remediation priority.

Risk score, explained

The CVSS 3.1 score of 6.5 reflects: Attack Vector Network (AV:N) — remotely exploitable; Attack Complexity Low (AC:L) — no special conditions required beyond initial renderer compromise; Privileges Required None (PR:N) — no authentication needed; User Interaction Required (UI:R) — user must visit the crafted page; Scope Unchanged (S:U) — impact is limited to the vulnerable component; Confidentiality None (C:N) — no data disclosure; Integrity High (I:H) — domain spoofing misleads the user into trusting a false entity; Availability None (A:N) — no denial of service. The MEDIUM severity is appropriate for a vulnerability that corrupts trust in payment workflows but requires an upstream compromise. Business context—payment fraud risk and mobile ubiquity—may justify elevated prioritization despite the technical score.

Frequently asked questions

Does this vulnerability allow an attacker to steal my passwords or payment information directly?

Not directly. The vulnerability itself does not exfiltrate data; it deceives you into entering credentials or payment info on a fake domain that appears legitimate. An attacker must first compromise your Chrome renderer process (typically via a separate exploit or malware), then serve you a spoofed payment page. Your browser's address bar may show the attacker's fake domain. Always verify the domain in your address bar and use strong, unique passwords to limit damage if you accidentally submit credentials to a spoofed site.

Do I need to worry about this if I don't use Chrome on Android?

No. This vulnerability is specific to Google Chrome on Android devices. If you use Safari on iOS, Firefox, or another browser, this particular issue does not affect you. However, all browsers have their own vulnerabilities, so keeping any browser updated is a good practice.

What's the difference between this vulnerability and other Chrome security issues I've heard about?

This one is specifically about the payments feature being fooled about which website you're actually on. Many Chrome vulnerabilities are about code execution or data theft. This one is about trust and perception—making you believe you're on a safe site when you're not. It requires an attacker to already have compromised your browser's core rendering process, which is a significant but real threat if you've been hit by malware or a targeted exploit.

Will Chrome auto-update this fix, or do I need to manually update?

Chrome on Android is configured to auto-update by default through Google Play. Check Settings > Apps > Google Chrome > About Chrome to see your current version and trigger a manual check if needed. If you're in an enterprise environment, your IT team may have configured updates through a mobile device manager (MDM), so contact them if you're unsure about your update status.

This analysis is provided for informational purposes and represents SEC.co's interpretation of publicly available vulnerability data as of the modification date. Patch version numbers, affected product versions, and CVSS scores are sourced from official CVE records and vendor advisories and should be verified against the latest Google Chrome release notes and Android security bulletins before deployment. The analysis does not constitute legal advice, warranty, or guarantee of security. Organizations must conduct their own risk assessment based on their specific environment, threat model, and business requirements. SEC.co assumes no liability for damages or losses resulting from reliance on this information or from delayed patching. Always consult your vendor's official security advisories and your internal security team before making remediation decisions. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).