HIGH 8.8

CVE-2026-11175: Chrome Android UI Spoofing in Messages – Patch Now

Google Chrome on Android contains a flaw in how it displays security-related UI elements within the Messages feature. An attacker can craft a malicious webpage that tricks users into thinking they're interacting with legitimate Chrome security dialogs or warnings, when they're actually seeing fake ones controlled by the attacker. This UI spoofing attack requires user interaction—the victim must visit the malicious page—but once they do, the attacker can deceive them into taking actions they wouldn't normally take, such as entering credentials or approving permissions.

Source data · NVD / CISA · public domain

CVSS
3.1 · 8.8 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-451
Affected products
2 configuration(s)
Published / Modified
2026-06-04 / 2026-06-17

NVD description (verbatim)

Incorrect security UI in Messages in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-11175 stems from an Incorrect Security UI vulnerability (CWE-451) in the Messages component of Chrome on Android versions prior to 149.0.7827.53. The flaw allows an attacker to spoof legitimate security UI elements through crafted HTML delivered via a remote webpage. By manipulating how Chrome renders security-related messages, an attacker can display fake warnings or dialogs that appear authentic to the user. The attack vector is network-based with low attack complexity; exploitation requires user interaction (UI:R) but does not require privileges and is not sandboxed to individual pages (S:U). The result can compromise confidentiality, integrity, and availability from the attacker's perspective.

Business impact

This vulnerability poses a direct threat to Android users of Chrome, particularly those who rely on in-app security prompts to make trust decisions. Attackers can use UI spoofing to harvest credentials, trick users into granting dangerous permissions, or redirect users to malicious content while appearing to be legitimate Chrome warnings. Organizations with BYOD policies or those supporting Android devices should expect increased phishing and social engineering attacks leveraging this flaw. The high CVSS score (8.8) reflects the broad impact surface and the difficulty of defending users who may not recognize spoofed UI even after patching, until all users update.

Affected systems

Google Chrome on Android versions below 149.0.7827.53 are vulnerable. The Messages feature is affected, suggesting the flaw impacts how Chrome handles in-app notifications and dialogs. All Android device versions running affected Chrome releases are at risk. The vulnerability does not appear to affect Chrome on desktop or other platforms based on the scope (S:U indicates user-scoped impact), but users should verify the fixed Chrome version availability for their specific Android version and device manufacturer, as patch rollout timelines vary.

Exploitability

Exploitation requires a remote attacker to serve malicious HTML to a victim. The attack has low complexity and requires no authentication or elevated privileges. User interaction is necessary—the victim must visit the crafted page or receive it via link—but this is a low bar for social engineering campaigns. Once visited, the spoofed UI can convince users to take actions with high confidence, making this vulnerability particularly dangerous in practice despite being theoretically lower in the exploit chain. The CVSS assessment of HIGH severity reflects this real-world exploitability risk.

Remediation

Immediately update Chrome on Android to version 149.0.7827.53 or later. Users should check Settings > About Chrome to verify their current version and enable automatic updates if not already enabled. Organizations managing Android devices should prioritize Chrome updates in their mobile device management (MDM) policies and confirm update deployment across their user base. Since the vulnerability requires user interaction and spoofed UI, employee security awareness training about verifying security dialogs (e.g., checking for authentic Chrome branding) provides a temporary defense layer while updates roll out, though patching remains the only reliable fix.

Patch guidance

Verify the fixed version is 149.0.7827.53 or later by navigating to Chrome Settings > About Chrome, which will also automatically check for and install updates. For managed deployments, confirm MDM policies push Chrome updates and monitor deployment status to ensure coverage. Test the patch in a limited environment with a sample of devices before full rollout if your organization manages large Android fleets. Note that manufacturers may bundle Chrome updates differently; corporate-managed devices should verify compatibility with their device management platform. After patching, consider a brief security awareness reminder about phishing techniques, since users accustomed to spoofed UIs may remain vulnerable to other social engineering attacks.

Detection guidance

At the network level, look for unusual HTTP traffic patterns to Chrome's Messages component or anomalous rendering of security dialogs in web traffic inspection logs. On Android devices, monitor for reports of users seeing unusual or unfamiliar Chrome security prompts, especially if multiple users report similar suspicious messages. Check MDM logs for Chrome version adoption and flag devices not yet on 149.0.7827.53 or later. Behavioral signals include credential entry anomalies or sudden permission grants following security dialogs. Examine browser history on vulnerable devices for visits to suspicious domains around the time of reported spoofing incidents. Enable Chrome's Safe Browsing and ensure Android Defender is active to catch hosting infrastructure serving the exploit payloads.

Why prioritize this

Although not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, the HIGH CVSS score (8.8), low attack complexity, and human-factor nature of UI spoofing make this a near-term priority. The attack combines technical accessibility with high user impact—attackers can convincingly steal credentials or permissions without zero-day complexity. Android's fragmented update landscape means a significant portion of users will remain vulnerable for weeks or months. Prioritize patching for users with privileged access, those handling sensitive data, and any devices in high-risk roles. Organizations should treat this as equivalent to a KEV candidate despite current non-listing.

Risk score, explained

The CVSS 3.1 score of 8.8 (HIGH) reflects: Network-based attack vector (AV:N) requiring no special access; Low attack complexity (AC:L) from the attacker's perspective; No privilege or authentication required (PR:N); User interaction as the only practical gate (UI:R); User-scoped impact (S:U) affecting only the compromised user session; and High impact across confidentiality (C:H), integrity (I:H), and availability (A:H) from the attacker's perspective. The high confidentiality and integrity scores account for credential theft and malicious permission grants. The high availability score reflects potential impacts such as device lockout or denial of legitimate service following user deception. The score appropriately reflects the practical danger of a flaw that enables convincing social engineering at scale.

Frequently asked questions

Is my Chrome desktop browser affected by this vulnerability?

No. CVE-2026-11175 is specific to Chrome on Android and the Messages feature in that environment. Desktop Chrome versions are not affected. However, you should always keep Chrome updated on all platforms for other security improvements.

What should I do if I visited a suspicious webpage before updating Chrome?

Update Chrome to 149.0.7827.53 or later immediately. Review your recent account activity, especially for Android accounts used with Chrome, and check for unauthorized logins or permission changes. If you entered credentials on a suspicious page, change your password from a trusted device. Consider enabling two-factor authentication if you haven't already. Monitor for phishing or unusual account behavior over the next few weeks.

Does enabling Safe Browsing protect me from this vulnerability?

Safe Browsing helps block known malicious domains that host exploit payloads, but it does not prevent the underlying UI spoofing flaw itself. Patching to 149.0.7827.53 or later is the only reliable fix. Safe Browsing is a useful defense layer but should not replace patching.

Why is this vulnerability not on CISA's Known Exploited Vulnerabilities list yet?

CISA's KEV catalog focuses on vulnerabilities with confirmed active exploitation in the wild. CVE-2026-11175 may not yet have documented in-the-wild exploitation, but the low barrier to exploitation and high user impact make it a near-term risk regardless of KEV status. Assume it will eventually appear on KEV and prioritize patching now.

This analysis is provided for informational purposes and does not constitute legal or professional security advice. The vulnerability details, CVSS score, affected versions, and patch information are based on official CVE and Google Chrome security advisories as of the published date. Patch availability, timeline, and compatibility may vary by device manufacturer, carrier, and Android version. Organizations should verify patch applicability in their specific environment before deployment. No exploit code or weaponized proof-of-concept is provided. For official guidance, consult Google's Chrome Security & Privacy blog and your device manufacturer's security bulletins. SEC.co makes no warranty regarding the completeness, accuracy, or timeliness of this information. Source: NVD (public-domain), retrieved 2026-07-13. Analysis generated by SEC.co (claude-haiku-4-5).