MEDIUM 6.1

CVE-2026-11034: Google Chrome Android Tab Group Sync XSS Vulnerability – CVSS 6.1

Google Chrome on Android contains a vulnerability in its Tab Group Sync feature that allows attackers to inject malicious scripts or HTML into web pages. An attacker with network access can craft malicious traffic to exploit insufficient input validation, potentially displaying fake content or stealing user information from websites. This affects Chrome versions prior to 149.0.7827.53.

Source data · NVD / CISA · public domain

CVSS
3.1 · 6.1 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Weaknesses (CWE)
CWE-20
Affected products
2 configuration(s)
Published / Modified
2026-06-04 / 2026-06-17

NVD description (verbatim)

Insufficient validation of untrusted input in Tab Group Sync in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker to inject arbitrary scripts or HTML (UXSS) via malicious network traffic. (Chromium security severity: Medium)

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-11034 is a cross-site scripting (XSS) vulnerability—specifically an UXSS (Universal XSS) variant—in the Tab Group Sync component of Google Chrome for Android. The vulnerability stems from CWE-20 (Improper Input Validation), where untrusted network data is not adequately sanitized before being processed by the sync mechanism. An attacker positioned to observe or intercept network traffic can send specially crafted payloads that bypass validation checks, resulting in arbitrary script or HTML execution within the browser context. The Chromium project classified this as medium severity due to the requirement for user interaction and the constrained scope of impact.

Business impact

Organizations supporting Chrome on Android devices face two primary risks. First, users may inadvertently interact with malicious web content injected via Tab Group Sync, potentially compromising credential entry or enabling unauthorized actions on behalf of the user. Second, depending on sync configuration and enterprise deployment scope, attackers could target users during network transitions (WiFi switching, VPN disconnection) when traffic inspection becomes feasible. Sectors with high-value Android deployments—financial services, healthcare, government—should prioritize remediation to prevent social engineering attacks layered atop this vulnerability.

Affected systems

Google Chrome on Android versions prior to 149.0.7827.53 are affected. The vulnerability is specific to the Android platform and the Tab Group Sync feature. Desktop Chrome and iOS Chrome are not mentioned in the advisory and should be presumed unaffected unless explicit guidance states otherwise. Users on older Android Chrome versions, including security patch levels more than a few months behind, are at risk.

Exploitability

Exploitation requires network access (AV:N) and user interaction (UI:R), but no special privileges are needed (PR:N) and the attack complexity is low (AC:L). This means an attacker on the same network, or intercepting traffic at an ISP or WiFi provider level, can trigger the vulnerability if a user has Tab Group Sync enabled and opens a malicious link or visits a compromised network. The requirement for user interaction moderates the risk; however, the low barrier to creating convincing phishing or network-based attack scenarios keeps exploitability practical. The vulnerability has not been added to CISA's Known Exploited Vulnerabilities (KEV) catalog, suggesting active exploitation in the wild has not yet been documented at publication.

Remediation

Update Google Chrome on Android to version 149.0.7827.53 or later. This is the minimal version that includes the security patch. Users should enable automatic updates in Google Play Store settings to receive patches without manual intervention. Organizations managing Android devices via MDM solutions should deploy the update through their device management infrastructure to ensure uniform patch coverage. Interim: users can disable Tab Group Sync in Chrome Settings > Sync and Google Services until patching is feasible, though this reduces productivity for users relying on cross-device tab management.

Patch guidance

Google has released version 149.0.7827.53 containing the fix. Verify this version or any subsequent release by checking Chrome Settings > About Chrome on the Android device; the browser will display the current version and initiate an automatic check for updates. For enterprises, confirm rollout through your MDM console's Chrome policy settings or via Google Play deployment channels. Testing should focus on verifying Tab Group Sync functionality remains intact post-patch and that no tab synchronization errors occur across devices. Allow 24–48 hours for the patch to propagate globally through Google Play Store distribution.

Detection guidance

Network detection is limited without decrypting HTTPS traffic; however, monitoring for unusual network patterns to Chrome's sync endpoints or anomalous data sizes in Tab Group Sync requests may reveal attack attempts. Endpoint detection should focus on Chrome processes spawning unexpected child processes or accessing sensitive system resources (credential storage, clipboard) after Tab Group Sync activity. Browser extension monitoring and JavaScript execution logs can help identify injected code post-compromise. For Android devices, enable Chrome's Enhanced Safe Browsing if available, which provides server-side analysis of suspicious pages. Regularly audit Tab Group Sync settings across managed devices to confirm the feature is only enabled where necessary.

Why prioritize this

While classified as medium severity, this vulnerability warrants timely patching due to several factors. First, the low attack complexity and lack of required privileges make it a practical target for opportunistic attackers on shared networks. Second, the Android platform's large user base and the ubiquity of Chrome create a wide attack surface. Third, the UXSS nature of the vulnerability (arbitrary script execution in any web page context) amplifies the damage potential beyond typical XSS. Organizations with mobile-first workforces or BYOD programs should treat this as a high-priority patch cycle item.

Risk score, explained

The CVSS 3.1 score of 6.1 (medium) reflects a network-accessible vulnerability with low complexity and no privilege requirement, but tempered by user interaction requirement (UI:R) and limited scope (confidentiality and integrity impact only, no availability impact). The score appropriately captures the practical risk: while not as severe as a zero-click network RCE, this vulnerability enables realistic attack chains against Android users, particularly those on untrusted networks or via coordinated social engineering. The score does not account for the widespread deployment of Chrome on Android or the attractive nature of XSS primitives for follow-on attacks; security teams should consider contextual risk elevation in their own threat models.

Frequently asked questions

Do I need to update Chrome on my other devices (desktop, iPad) for this vulnerability?

No. This vulnerability is specific to Android. Desktop Chrome and iOS Chrome are not affected. However, you should keep all devices on the latest Chrome version as a general security practice.

What is Tab Group Sync and do I have it enabled?

Tab Group Sync is a Chrome feature that synchronizes tab groups across your signed-in devices, allowing you to access the same organized tab collections on your phone, tablet, and computer. You can check if it's enabled on Android by going to Chrome Settings > Sync and Google Services. If 'Sync everything' is on or 'Tabs' is specifically enabled under selective sync, the feature is active.

Can an attacker steal my passwords or see my private browsing data through this vulnerability?

The vulnerability allows injection of scripts into web pages you visit, which could be used to capture credentials you enter on compromised pages or read publicly visible page content. Private browsing data and Chrome's password database are protected separately; this vulnerability does not directly unlock those. However, an attacker could potentially trick you into entering credentials on a fake page injected via this flaw.

If I'm behind a company VPN, am I protected from this attack?

A properly configured VPN encrypts your traffic end-to-end and prevents attackers from intercepting or modifying network packets. However, if the VPN itself is compromised, or if an attacker is positioned before the VPN entry point (on your local network), they may still attempt exploitation. The strongest defense remains keeping Chrome patched.

This analysis is based on information available as of the publication date and reflects the Chromium project's official severity assessment. Exploit details, patch deployment timelines, and real-world attack prevalence may evolve. Organizations should verify patch availability and compatibility in their specific environments before deployment. This analysis does not constitute legal or compliance advice; consult your security policy and relevant regulations for mandatory remediation timelines. SEC.co makes no warranty regarding the completeness or accuracy of this analysis and disclaims liability for decisions made in reliance on it. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).