CVE-2026-11172: Chrome Android Contact Picker UI Spoofing Vulnerability – Patch Guide
A UI spoofing flaw in Chrome's Contact Picker on Android allows attackers to trick users via specially crafted web pages. When a user attempts to select a contact, a malicious site can mask its true identity or intentions by manipulating the security UI elements that normally help users understand what app or service is asking for contact information. This deceives users into granting access to their contacts under false pretenses.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.8 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-451
- Affected products
- 2 configuration(s)
- Published / Modified
- 2026-06-04 / 2026-06-17
NVD description (verbatim)
Incorrect security UI in Contact Picker in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-11172 exploits an incorrect security UI implementation in the Contact Picker component of Google Chrome on Android versions prior to 149.0.7827.53. The vulnerability is classified under CWE-451 (User Interface (UI) Misrepresentation of Critical Information). An attacker crafts a malicious HTML page that, when visited, manipulates the visual presentation of the contact selection dialog. Because the security UI fails to accurately represent which application or origin is requesting contact data, users cannot reliably determine whether they should grant permission. The attack requires user interaction (clicking to select a contact) but does not require authentication, making it accessible to any attacker hosting a web page.
Business impact
Contact compromise represents a significant data breach risk. Once an attacker gains access to a user's contact list, they can conduct targeted phishing campaigns, social engineering attacks, or account takeover attempts against the victim's entire network. For organizations where employees use Chrome on Android devices, this vulnerability could enable harvest of corporate contact directories, client lists, or partner information. The high CVSS score of 8.8 reflects the combination of confidentiality, integrity, and availability impacts—attackers can read contacts, potentially modify trust relationships, and disrupt normal communication flows.
Affected systems
Google Chrome on Android devices running versions before 149.0.7827.53 are vulnerable. The vulnerability is specific to the Android platform and the Contact Picker UI component. Desktop Chrome versions are not affected by this particular flaw. Any Android user with an older Chrome build who visits a malicious website is at risk.
Exploitability
Exploitability is straightforward. The attack requires only a crafted HTML page hosted on the internet—no exploit code, zero-day research, or special network positioning is needed. However, it does require user interaction: the victim must visit the malicious page and proceed through the contact selection flow. Social engineering (phishing emails, malicious links) would typically precede the attack. Once a user is on the page, the spoofed UI makes the attack appear legitimate, so successful exploitation rates could be high in real-world scenarios.
Remediation
Immediate action is to update Chrome to version 149.0.7827.53 or later on all Android devices. Organizations should use Mobile Device Management (MDM) policies to enforce Chrome updates and restrict installation of older versions. For users unable to update immediately, avoid clicking links from untrusted sources and be cautious when the contact picker appears—legitimate requests typically come from known applications or services, not arbitrary websites.
Patch guidance
Apply Chrome version 149.0.7827.53 or later as soon as possible. Most Android devices will receive automatic updates; however, verify update status in Chrome Settings > About Chrome. Organizations managing Android devices through MDM should push updates via device policy to ensure rapid deployment. Confirm patched version by checking chrome://version on the device.
Detection guidance
Monitor for downloads or visits to suspicious URLs known to host this exploit. Endpoint Detection and Response (EDR) tools should flag unusual contact access patterns—particularly bulk contact enumeration following web visits. Log Chrome update status across managed devices to identify lagging deployments. While the vulnerability itself leaves minimal forensic traces, detection of the *attack* relies on behavioral indicators: users reporting unexpected contact picker prompts, or security tools observing contact data being exfiltrated after a web session.
Why prioritize this
Although not yet listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, the high CVSS score (8.8), low attack complexity, and lack of authentication requirement make this a priority patch. The Contact Picker is widely used for legitimate purposes (email clients, messaging apps), making this an attractive vector for attackers. Android's fragmented update landscape means many devices will remain vulnerable for weeks or months, extending the exposure window.
Risk score, explained
The CVSS 3.1 score of 8.8 (HIGH) reflects: Network-based attack vector (AV:N), low attack complexity (AC:L), no privilege required (PR:N), and mandatory user interaction (UI:R). The impact is broad—high confidentiality loss (contacts exposed), high integrity risk (trust relationships compromised), and high availability impact (disrupted communication). While classified as Medium by Chromium's own severity rating, the CVSS score of 8.8 is more aligned with real-world risk given the sensitive nature of contact data and the simplicity of the attack.
Frequently asked questions
Can desktop Chrome users be affected?
No. This vulnerability is specific to Chrome on Android and the Contact Picker implementation on that platform. Desktop versions of Chrome do not have this flaw.
Do I need to grant a website permission to access contacts for this exploit to work?
The exploit manipulates the UI you see when granting that permission. The attacker counts on the spoofed UI misleading you into believing the request is legitimate. If you deny the permission prompt, the attack fails.
How quickly should I update?
As soon as possible. This is a network-accessible vulnerability requiring only user interaction on an older Chrome build. If your organization manages Android devices, prioritize Chrome updates in your MDM policy within 24–48 hours.
Is this being actively exploited?
As of the publication date, this vulnerability is not yet on CISA's Known Exploited Vulnerabilities list. However, the low barrier to exploitation means attackers will likely begin targeting it once patches are delayed or inconsistently deployed.
This analysis is provided for informational purposes and reflects the vulnerability details available as of the publication date. CVSS scores, patch versions, and affected product versions are based on official vendor advisories and must be verified against Google's security updates before deployment. This vulnerability has not been confirmed as actively exploited in the wild at the time of writing. Organizations should conduct their own risk assessments and testing in development environments before applying patches to production. No exploit code or weaponized proof-of-concept is provided or endorsed by SEC.co. Source: NVD (public-domain), retrieved 2026-07-13. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-0088HIGHAndroid CertInstaller Privilege Escalation
- CVE-2026-0093HIGHAndroid Local Privilege Escalation via Misleading UI—CVSS 7.8
- CVE-2026-0094HIGHAndroid KeyChain Privilege Escalation via UI Misrepresentation
- CVE-2026-0096HIGHAndroid Local Privilege Escalation in ForgetDeviceDialogFragment
- CVE-2026-11175HIGHChrome Android UI Spoofing in Messages – Patch Now
- CVE-2026-10984MEDIUMGoogle Chrome Android UI Spoofing Vulnerability – Medium Severity
- CVE-2026-11001MEDIUMGoogle Chrome UI Spoofing in Payments – Patch Now
- CVE-2026-11019MEDIUMChrome Android Payments Domain Spoofing Vulnerability