CVE-2026-11035: Chrome Android Custom Tabs Privilege Escalation – Patch Now
Google Chrome on Android contains a flaw in how it handles Custom Tabs—a feature that allows apps to open web content within their own interface. An attacker with local access to a device can exploit this vulnerability by crafting a malicious XML file, potentially gaining elevated privileges on the system. The issue affects Chrome versions prior to 149.0.7827.53. While the base severity from Chromium is listed as Medium, the overall risk score reflects the complete attack chain impact.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.3 HIGH · CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-20
- Affected products
- 2 configuration(s)
- Published / Modified
- 2026-06-04 / 2026-06-17
NVD description (verbatim)
Inappropriate implementation in Custom Tabs in Google Chrome on Android prior to 149.0.7827.53 allowed a local attacker to perform privilege escalation via a crafted XML file. (Chromium security severity: Medium)
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-11035 is an improper input validation vulnerability (CWE-20) in the Custom Tabs implementation within Google Chrome for Android. The flaw permits privilege escalation through a specially crafted XML file when a user with existing local access interacts with the malicious payload. The vulnerability requires user interaction (the user must open or process the XML in a context that triggers the vulnerable code path) but does not require network access. Successful exploitation grants an attacker the same privileges as the affected user, with potential to read, modify, or delete sensitive data and disrupt system availability.
Business impact
Privilege escalation vulnerabilities on mobile devices pose a significant risk in enterprise environments where Android devices handle corporate email, financial data, and authentication credentials. A compromised device can serve as a pivot point for lateral movement within corporate networks, especially if the device syncs data or connects to internal services. For consumer users, successful exploitation could lead to unauthorized access to payment information, personal communications, and sensitive applications. The requirement for local access and user interaction somewhat restricts the attack surface, but the high-impact consequences (confidentiality, integrity, and availability) mean this vulnerability warrants prompt remediation.
Affected systems
Google Chrome on Android versions prior to 149.0.7827.53 are vulnerable. This includes all stable, beta, and extended release channels below the patched version. The vulnerability does not affect Chrome on other platforms (Windows, macOS, Linux, iOS). Android versions are not directly vulnerable; the flaw is specific to Chrome's implementation. However, any Android device running an unpatched version of Chrome is at risk.
Exploitability
Exploitation requires local access to the device and user interaction—specifically, the user must open or process a crafted XML file in a way that triggers Chrome's Custom Tabs code path. This could occur through email attachments, downloads, file sharing apps, or social engineering. The attack does not require network access or administrative privileges on the device beforehand. The CVSS vector (AV:L/AC:L/PR:L/UI:R) indicates that the attack is locally feasible with low complexity, though user interaction is needed. The vulnerability is not currently tracked in CISA's Known Exploited Vulnerabilities catalog, suggesting no active in-the-wild exploitation has been reported as of the last update.
Remediation
Users and administrators should update Google Chrome on Android to version 149.0.7827.53 or later as soon as possible. Updates are typically delivered through Google Play Store; users can check for updates manually via Chrome's settings menu (Settings > About Chrome) if automatic updates are not enabled. For enterprise deployments, verify that your mobile device management (MDM) solution is configured to enforce Chrome updates or restrict access to older versions. There is no known workaround for this vulnerability other than updating.
Patch guidance
Google has patched this vulnerability in Chrome 149.0.7827.53. Verify the patched version number against the official Google Chrome release notes. On Android, update Chrome through the Google Play Store (search for 'Chrome' and tap 'Update'). For enterprise customers managing Chrome through Google Workspace or similar platforms, check that policy-based update mechanisms are active. Users who have automatic updates enabled will receive the patch automatically; however, manual verification is recommended for security-sensitive deployments.
Detection guidance
Monitor your environment for Chrome installations on Android devices using versions prior to 149.0.7827.53. Mobile device management solutions can report the installed Chrome version across enrolled devices; use this data to identify gaps. On the endpoint level, look for suspicious XML files being processed by Chrome or related services, though such detection requires advanced endpoint detection and response (EDR) capabilities rarely available on consumer Android devices. Network detection is limited since the attack is entirely local. In enterprise settings, combine MDM reporting with user communication to accelerate update adoption. If you suspect exploitation, examine device logs for unexpected privilege escalation events or unauthorized access to sensitive applications.
Why prioritize this
This vulnerability merits high priority due to the combination of high-impact consequences (privilege escalation affecting confidentiality, integrity, and availability) and relatively low attack complexity. Although it requires local access and user interaction, mobile devices are frequently attacked through social engineering and malware distribution, making these conditions realistic in many threat scenarios. The widespread use of Chrome on Android globally means the vulnerable population is large. Prioritize patching devices that handle sensitive corporate or financial data, followed by general rollout to the entire mobile device fleet.
Risk score, explained
The CVSS 3.1 score of 7.3 (HIGH) reflects a privilege escalation with full impact across confidentiality, integrity, and availability. The local attack vector (AV:L) and low attack complexity (AC:L) indicate the flaw is relatively straightforward to exploit once an attacker has local access. User interaction (UI:R) is required but is not a strong barrier given social engineering and malware distribution vectors. The CVSS vector does not account for the breadth of the vulnerable population (all Android Chrome users) or the likelihood of local access in enterprise breach scenarios. The Chromium project's own severity assessment (Medium) may reflect a narrower threat model; however, the full CVSS score appropriately captures the real-world risk.
Frequently asked questions
Do I need to update Chrome on iOS, Windows, Mac, or Linux?
No. This vulnerability is specific to Chrome on Android. Other platforms and versions are not affected. However, keeping all software updated is a security best practice, so consider updating Chrome on all platforms as part of regular maintenance.
Can I be exploited if I do not open untrusted XML files?
The vulnerability requires interaction with a malicious XML file, typically through opening it directly or having it processed by Chrome. However, social engineering, malware, or phishing attacks could deliver such files. If you practice cautious browsing habits and do not open suspicious attachments or downloads, your risk is lower—but updating is the only reliable protection.
Does this vulnerability require the attacker to be on my network?
No. The attack is local to the device only (AV:L), meaning the attacker must have some form of access to your Android device itself—either physical access, malware already running on the device, or the ability to trick you into opening a malicious file. Network-based attacks cannot directly trigger this vulnerability.
What should enterprises do to address this vulnerability?
Enforce Chrome updates through your mobile device management (MDM) solution, verify patch deployment across your device fleet, and communicate the need for immediate updates to users. For high-risk devices (those accessing financial or health data), prioritize patching. Consider blocking access to sensitive applications on unpatched devices until updates are applied.
This analysis is based on publicly available vulnerability data and official vendor advisories as of the publication date. Security assessments are subject to change as new information becomes available. Always verify patch version numbers and update procedures against Google's official Chrome release notes and your organization's security policies. This vulnerability intelligence is provided for informational purposes to assist security decision-making; it does not constitute legal or compliance advice. Consult with your legal and compliance teams regarding breach notification and regulatory reporting obligations specific to your jurisdiction. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2025-22424HIGHAndroid Local Privilege Escalation via Image Disclosure
- CVE-2026-0078HIGHAndroid Privilege Escalation via DevicePolicyManagerService Desync
- CVE-2026-10020HIGHChrome Android Sandbox Escape via Skia Input Validation Flaw
- CVE-2026-10021HIGHGoogle Chrome USB Validation Flaw – RCE Vulnerability Patch
- CVE-2026-10904HIGHChrome V8 Sandbox Escape Remote Code Execution
- CVE-2026-10911HIGHChrome Sandbox Escape Vulnerability (High Severity)
- CVE-2026-10917HIGHChrome Media Sandbox Escape Vulnerability (High CVSS 8.3)
- CVE-2026-10920HIGHChrome macOS WebShare Sandbox Escape Vulnerability (v149)