CVE-2026-11025: Chrome Android CSP Bypass Vulnerability – Patch Guidance
Google Chrome on Android contains a flaw in how it enforces content security policies (CSP) during navigation. An attacker can craft a malicious HTML page that, when visited by a user, bypasses the browser's CSP protections. This allows the attacker to inject or execute unintended content within a page that should be restricted. The vulnerability requires user interaction (visiting a malicious site) and affects Chrome versions before 149.0.7827.53 on Android devices.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 6.5 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
- Weaknesses (CWE)
- CWE-602
- Affected products
- 2 configuration(s)
- Published / Modified
- 2026-06-04 / 2026-06-17
NVD description (verbatim)
Insufficient policy enforcement in Navigation in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker to bypass content security policy via a crafted HTML page. (Chromium security severity: Medium)
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-11025 stems from insufficient policy enforcement mechanisms in Chrome's navigation stack on Android. Content Security Policy is a critical browser security feature that restricts resource loading and script execution to prevent injection attacks. The vulnerability allows a network attacker to circumvent CSP restrictions via a specially crafted HTML page, falling under CWE-602 (Client-Side Enforcement of Server-Side Security). The attack surface is limited by the requirement for user interaction and operates within the security context of a single page (Confidentiality: None, Integrity: High, Availability: None).
Business impact
This vulnerability primarily affects organizations whose workforce uses Chrome on Android devices to access web applications that rely on CSP for protection against content injection attacks. The integrity impact means attackers could inject malicious scripts or content within supposedly-protected applications, potentially leading to credential theft, session hijacking, or malware distribution. Organizations with strict BYOD policies or those supporting Android browsing should prioritize assessment. The actual risk depends on whether your web applications are targeted and whether users' Android devices are exposed to attacker-controlled content.
Affected systems
Google Chrome on Android devices running version 149.0.7827.53 or earlier are vulnerable. Desktop Chrome and Chrome on other platforms are not affected by this specific issue. Organizations should inventory Android devices with Chrome versions below the patched release, particularly those in field support, contractor, or remote-work scenarios where device management may be limited.
Exploitability
Exploitation requires a user to visit a crafted HTML page hosted by an attacker—no network access is needed beyond standard web browsing. An attacker cannot force a victim to the malicious page without social engineering or if the page is discovered through legitimate search results. The attack does not grant remote code execution on the device itself; it specifically bypasses CSP restrictions within the browser's content isolation model. The CVSS score of 6.5 (Medium) reflects this limited but meaningful integrity impact without requiring elevated privileges or system-level access.
Remediation
Update Google Chrome on Android to version 149.0.7827.53 or later. Users can check their current version via Chrome Settings > About Chrome, which typically triggers automatic updates on Android. For organizations managing Android devices via Mobile Device Management (MDM), enforce a minimum Chrome version policy. No workarounds exist; patching is the only mitigation. Chrome's automatic update mechanism means most users will receive the fix within days, though some older or offline devices may require manual intervention.
Patch guidance
Verify that Chrome on all organization-managed or BYOD Android devices has been updated to 149.0.7827.53 or later. Enable automatic app updates in Google Play Store settings if your device management policy permits. For enterprise deployments, confirm that your MDM solution has pushed the minimum version requirement and monitor compliance. If Chrome does not auto-update within 7 days of the patch release, manually update via Google Play Store or enterprise distribution channels. Document patch confirmation in your vulnerability tracking system.
Detection guidance
Monitor Chrome version numbers across your Android device fleet using your MDM platform or mobile threat defense solution. Configure alerting for Chrome installations below version 149.0.7827.53. If your organization inspects web traffic, watch for unusual CSP violations or policy bypass attempts that correlate with Android Chrome user activity. Behavioral indicators are limited; focus on proactive version auditing rather than reactive detection. Check browser logs on endpoints if available, though most Android deployments do not retain detailed CSP violation logs.
Why prioritize this
This vulnerability merits prompt but not emergency response. The CVSS 6.5 score and Medium severity indicate meaningful risk, but the requirement for user interaction and the narrowly scoped integrity impact (CSP bypass, not RCE) place it below critical threats. Prioritize patching if your organization hosts security-sensitive web applications that rely on CSP, or if you have high Android adoption. Organizations with primarily desktop-focused workforces or those using alternative mobile browsers can deprioritize slightly, provided they audit any Android Chrome usage.
Risk score, explained
The CVSS 6.5 score reflects a network-based attack with low complexity and no privileges required, balanced against high integrity impact but no confidentiality or availability loss. The user interaction requirement (a user must visit a malicious page) prevents a fully autonomous attack and limits the attack scope to the single application context. This places the risk solidly in the Medium category—significant enough to warrant timely patching, but not an emergency that overrides other operational priorities.
Frequently asked questions
Does this vulnerability allow attackers to install malware on my Android device?
No. This vulnerability allows an attacker to inject or execute content within a web page that should be restricted by Content Security Policy. It does not grant the attacker the ability to execute arbitrary code on your device or install applications. The impact is limited to web-based content injection within the browser.
If I don't visit malicious websites, am I safe?
Largely yes—the attack requires you to visit a crafted HTML page controlled by the attacker. However, an attacker could attempt to trick you into visiting such a page through a malicious link or by compromising a legitimate website. The safest approach is to patch Chrome promptly rather than rely on avoiding malicious sites.
Does this affect Chrome on my Windows or Mac computer?
No. This vulnerability is specific to Chrome on Android. Desktop and laptop versions of Chrome are not affected by this particular flaw, though you should always keep all software updated for other security reasons.
What should enterprise IT administrators do?
Enforce a minimum Chrome version (149.0.7827.53 or later) via Mobile Device Management policies. Audit current device compliance and set deadlines for remediation. If you manage BYOD devices, communicate the update requirement to users and monitor adherence. Consider blocking or warning users on older Chrome versions from accessing sensitive web applications if feasible within your architecture.
This analysis is based on publicly disclosed vulnerability information current as of the publication date. Security details, affected versions, and patch availability may evolve; verify all technical claims against official vendor advisories and security releases. This content is for informational purposes and does not constitute professional security advice. Organizations should conduct their own risk assessments and testing before deploying patches in production environments. Threat landscapes change; prioritization should account for your organization's specific asset inventory, threat model, and business context. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-11014MEDIUMChrome Extension Policy Bypass Allows Site Isolation Circumvention
- CVE-2026-11018MEDIUMChrome Navigation Policy Bypass (6.5 CVSS)
- CVE-2026-11011HIGHChrome Password Manager Site Isolation Bypass – Patch Guidance
- CVE-2026-42329MEDIUMIris Open Redirect Vulnerability (v2.4.28 Fix)
- CVE-2025-48648MEDIUMAndroid NotificationManagerService Resource Exhaustion DoS
- CVE-2026-0018MEDIUMAndroid AccessibilityManagerService Denial of Service Vulnerability
- CVE-2026-0039MEDIUMAndroid Integer Overflow Denial of Service Vulnerability
- CVE-2026-0040MEDIUMAndroid ubsan_throwing_runtime Integer Overflow DoS Vulnerability