MEDIUM 6.3

CVE-2026-11184: Chrome Navigation Policy Bypass via Crafted HTML

Google Chrome versions before 149.0.7827.53 contain a flaw that allows attackers to bypass navigation controls through a specially crafted webpage. An attacker could craft a malicious HTML page that, when visited by a user, circumvents Chrome's built-in protections that normally restrict where the browser can navigate. This requires user interaction—the victim must visit the malicious page—but the barrier to exploitation is otherwise low. The vulnerability affects Chrome on Windows, macOS, and Linux systems.

Source data · NVD / CISA · public domain

CVSS
3.1 · 6.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
Weaknesses (CWE)
CWE-602
Affected products
4 configuration(s)
Published / Modified
2026-06-04 / 2026-06-17

NVD description (verbatim)

Insufficient policy enforcement in Actor in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. (Chromium security severity: Medium)

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability stems from insufficient policy enforcement in Chrome's Actor component, categorized under CWE-602 (Client-Side Enforcement of Server-Side Security). The flaw permits a remote, unauthenticated attacker to craft HTML content that evades Chrome's navigation policy restrictions. The CVSS 3.1 score of 6.3 (Medium severity) reflects a network-exploitable vector with low attack complexity; however, exploitation requires user interaction (visiting the malicious page) and impacts confidentiality, integrity, and availability at a low level per the affected scope. Chromium project initially assessed this as Medium severity.

Business impact

For enterprise users, this vulnerability creates a targeted phishing vector. An attacker could host a malicious site designed to redirect users in unexpected ways or cause navigation to untrusted destinations, potentially leading to credential harvesting, malware distribution, or confusion about security boundaries. The requirement for user interaction means organizations should focus on user awareness alongside patching. The low-to-medium impact rating suggests this is not a critical infrastructure-level risk, but it warrants prompt remediation to eliminate a plausible attack surface, particularly for organizations where users visit untrusted web content.

Affected systems

Google Chrome is the primary affected product. The vulnerability also affects Chrome installations on supported operating systems: Apple macOS, Linux (via the Linux kernel environment), and Microsoft Windows. Users running Chrome version 149.0.7827.53 or later are protected. The vulnerability does not appear to affect Chromium-based browsers other than Chrome itself based on the CVE scope, though administrators should verify if other Chromium derivatives in their environment require separate updates.

Exploitability

Exploitation is straightforward in execution but requires a user to visit a malicious webpage. An attacker must craft an HTML page that exploits the insufficient policy enforcement—this is a client-side, single-stage attack with no need for prior system access or authentication. The low attack complexity and network accessibility make this suitable for mass distribution via email, advertisements, or compromised legitimate sites. However, the user-interaction requirement (UI:R) significantly reduces the risk compared to a direct browser vulnerability that requires no user action. Successful exploitation results in localized policy bypass rather than system compromise, limiting the scope.

Remediation

Update Google Chrome to version 149.0.7827.53 or later on all affected systems. Chrome's auto-update mechanism should deliver this patch automatically for most users; verify deployment via chrome://help (Settings > About Chrome). For managed environments, use Chrome's enterprise policy update channels or mobile device management (MDM) solutions to enforce patching. No workarounds are available; patching is the only mitigation. Organizations should confirm patch deployment within 2–4 weeks of the stable release date.

Patch guidance

Chrome version 149.0.7827.53 or later contains the fix. Users should enable automatic updates; Chrome on Windows, macOS, and Linux will prompt for restart when an update is available. Enterprise administrators should verify patch deployment via chrome://version or use Chrome OS management console / MDM tools to confirm all endpoints have updated. No additional configuration is required post-patch. Verify the fix is in place by checking the version number in Settings > About Chrome or chrome://version.

Detection guidance

Monitor for Chrome version drift using endpoint detection and response (EDR) tools or mobile device management (MDM) if Chrome is managed. For network-based detection, look for unusual navigation patterns or redirects from internal systems to external C&C-like domains, though this is difficult to distinguish from legitimate traffic without proxies and decryption. User reports of unexpected browser redirects or page navigation should trigger investigation. Logging of Chrome version compliance can be automated via enterprise management tools. No signature-based detection is practical because the vulnerability is in policy enforcement logic, not a binary pattern.

Why prioritize this

This vulnerability merits near-term patching (within 2–4 weeks) due to its low barrier to user exploitation and potential for phishing-oriented attacks, but it is not a drop-everything emergency. The Medium severity, user-interaction requirement, and limited scope (confidentiality, integrity, and availability impacts are each low) place it below critical vulnerabilities. However, its exploitability via social engineering and presence across multiple operating systems means it should not be deprioritized. Organizations with high-security-awareness cultures may prioritize other risks first, but general enterprises should treat this as standard patching priority.

Risk score, explained

The CVSS 3.1 score of 6.3 reflects a Medium-severity vulnerability with several mitigating factors. The network-accessible attack vector (AV:N) and low attack complexity (AC:L) indicate ease of delivery. However, the requirement for user interaction (UI:R) and unchanged scope (S:U) reduce the severity. The low individual impact to confidentiality (C:L), integrity (I:L), and availability (A:L) further constrains the score. This is not a high-severity finding; the score appropriately reflects a phishing-like attack that bypasses browser navigation policy rather than a direct code-execution or authentication bypass flaw.

Frequently asked questions

Does this vulnerability affect Chrome on mobile devices?

Yes, if Chrome is installed on Android or iOS and the version is below 149.0.7827.53, the device is affected. Mobile users should enable automatic updates in the Google Play Store (Android) or App Store (iOS) to receive the patch. Enterprises using MDM should push Chrome updates through their mobile management platform.

What exactly is a 'navigation restriction' bypass?

Chrome enforces policies that control where the browser is allowed to navigate—for example, preventing cross-origin navigation under certain conditions or restricting navigation to specific domains in enterprise deployments. This vulnerability allows a crafted webpage to circumvent those controls, enabling unauthorized redirects or navigation that would normally be blocked by policy.

Is there a known active exploit or public proof-of-concept?

The vulnerability is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog, indicating no verified active exploitation has been documented at the time of this advisory. However, the low barrier to exploitation means organizations should not delay patching in expectation that exploitation remains theoretical.

Can this be exploited if a user simply views a malicious ad or email link?

Yes. The attacker needs only to trick a user into visiting a malicious webpage—either by clicking a link in an email, visiting an ad-poisoned site, or landing on a compromised legitimate website. No additional user action, such as disabling security warnings, is documented as necessary for exploitation.

This analysis is based on publicly available vulnerability data current as of the publication date. Patch version numbers and affected product lists are drawn from official vendor advisories and the CVE record; verify patch applicability in your specific environment before deploying. No exploit code or detailed attack reproduction steps are provided. Organizations should conduct their own risk assessment and testing in non-production environments. This document does not constitute professional security advice; consult your organization's security team and vendor documentation for guidance specific to your infrastructure. Source: NVD (public-domain), retrieved 2026-07-13. Analysis generated by SEC.co (claude-haiku-4-5).