CVE-2026-11215: Chrome Android Domain Spoofing Vulnerability
A flaw in how Google Chrome handles domain names on Android devices allows attackers to trick users into visiting fake websites that appear legitimate. By crafting a specially formatted domain name, an attacker can make Chrome display a spoofed address bar, convincing users they're on a trusted site when they're actually on a malicious one. The vulnerability requires user interaction—the victim must visit a link or be socially engineered—but poses a direct threat to credential theft and phishing campaigns.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 6.5 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
- Weaknesses (CWE)
- CWE-451
- Affected products
- 2 configuration(s)
- Published / Modified
- 2026-06-04 / 2026-06-17
NVD description (verbatim)
Inappropriate implementation in Cronet in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker to perform domain spoofing via a crafted domain name. (Chromium security severity: Medium)
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-11215 is an implementation defect in Cronet (Google's HTTP/HTTPS networking library) affecting Chrome on Android prior to version 149.0.7827.53. The vulnerability falls under CWE-451 (User Interface (UI) Misrepresentation of Critical Information), where improper domain validation allows a malicious domain name to be rendered in a way that deceives the user about the actual origin of the content being loaded. The flaw does not allow arbitrary code execution or direct data exfiltration, but undermines the security indicator that users rely on to verify website authenticity.
Business impact
Domain spoofing via UI misrepresentation significantly increases phishing and credential harvesting risk. Users cannot reliably distinguish legitimate from malicious sites on affected Android devices, increasing the likelihood of successful social engineering attacks. Organizations with mobile workforces using Chrome on Android face elevated risk of employee credentials being compromised, especially for cloud services and financial platforms. This is particularly dangerous in bring-your-own-device (BYOD) environments where employee devices lack managed controls.
Affected systems
Google Chrome on Android running versions prior to 149.0.7827.53 are directly affected. The vulnerability is specific to the Android platform; Chrome on desktop and other browsers are not affected by this particular flaw. All Android users running the vulnerable Chrome versions are at risk, regardless of device manufacturer or Android OS version, as the issue resides in Chrome's Cronet library.
Exploitability
The vulnerability has a network attack vector and low complexity, meaning it requires no special network positioning. However, it does require user interaction—the victim must click a malicious link or visit an attacker-controlled website. No exploit code appears to be in active circulation, and the vulnerability is not listed on the KEV catalog, suggesting limited real-world exploitation to date. The barrier to exploitation is low for attackers with basic phishing infrastructure, making widespread abuse likely once users become aware of the attack pattern.
Remediation
Organizations should prioritize updating Google Chrome on all Android devices to version 149.0.7827.53 or later. For managed environments, enforce automatic updates or deploy mobile device management (MDM) policies to push the patch. Users should manually check Settings > About Chrome and install updates immediately. Additionally, security awareness training should emphasize verifying domain names carefully and looking for HTTPS certificate indicators, as this flaw undermines those visual cues.
Patch guidance
Google Chrome on Android should be updated to version 149.0.7827.53 or any subsequent release. Verify the installed version by navigating to Chrome menu > Settings > About Chrome, which will display the current version and automatically check for updates. Enterprise organizations can validate patch deployment through their MDM console or by reviewing device inventory reports. No workarounds exist; patching is the only remediation.
Detection guidance
Detection at the network level is difficult, as the attack relies on UI deception rather than network anomalies. Focus detection efforts on user behavior: monitor for unusual authentication failures from mobile devices, spike in phishing report submissions from mobile users, or clusters of failed logins followed by successful ones (credential stuffing patterns). Application logs may show authentication from unexpected geolocations or user agents. Endpoint detection and response (EDR) solutions on managed Android devices can flag Chrome versions below 149.0.7827.53. User reporting remains the most reliable detection mechanism for phishing attempts leveraging this vulnerability.
Why prioritize this
While the CVSS score is moderate (6.5), the practical impact justifies prompt remediation. Domain spoofing is a foundational attack for phishing and credential theft, which are the most common attack vectors in the real world. The vulnerability affects a ubiquitous application (Chrome) on a widely used platform (Android), creating broad exposure. The requirement for user interaction does not significantly reduce risk in practice, as phishing success rates are consistently high. Organizations should prioritize this patch within their standard update cycle, especially for users with access to sensitive systems.
Risk score, explained
The CVSS 3.1 score of 6.5 (Medium) reflects the integrity impact (high) from successful domain spoofing, balanced against the requirement for user interaction and the lack of confidentiality or availability impact. The score does not fully capture the real-world prevalence of phishing and social engineering attacks, which exploit this type of vulnerability repeatedly and effectively. Security teams should consider raising internal priority above the base CVSS score based on organizational risk tolerance for phishing and credential compromise.
Frequently asked questions
Does this vulnerability allow attackers to steal data directly?
No. The vulnerability does not provide direct access to data or enable code execution. Instead, it allows attackers to deceive users about which website they are visiting, making phishing and social engineering more effective. The actual data theft occurs only if the user is tricked into entering credentials or sensitive information on the fake site.
Are desktop Chrome users affected?
No. This vulnerability is specific to Chrome on Android and affects the Cronet networking library used by Chrome for Android. Desktop versions of Chrome (Windows, macOS, Linux) are not affected by this particular flaw.
What should BYOD programs do?
Organizations with BYOD policies should enforce a requirement that personal devices running Chrome on Android be updated to version 149.0.7827.53 or later before accessing corporate resources. Consider using conditional access policies that block authentication from unpatched Chrome browsers, or provide clear communication to users about the patch timeline and security importance.
Can this be exploited without user interaction?
No. The attack requires the user to visit a malicious link or website. However, this is not a significant barrier in practice, as phishing emails, malicious advertisements, and social engineering are effective at driving user clicks.
This analysis is provided for informational purposes and reflects the vulnerability details as of the publication date. Verify all patch versions, affected product versions, and vendor advisories against official Google Chrome release notes before implementing remediation. The CVSS score represents a standardized base score; organizations should adjust their internal risk ratings based on their specific environment, user base, and threat landscape. No exploit code is provided, and this analysis does not constitute professional security advice. Consult your security team or a qualified vulnerability management professional for decisions specific to your infrastructure. Source: NVD (public-domain), retrieved 2026-07-13. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10984MEDIUMGoogle Chrome Android UI Spoofing Vulnerability – Medium Severity
- CVE-2026-11001MEDIUMGoogle Chrome UI Spoofing in Payments – Patch Now
- CVE-2026-11019MEDIUMChrome Android Payments Domain Spoofing Vulnerability
- CVE-2026-11107MEDIUMGoogle Chrome UI Spoofing Vulnerability – Patch Guide
- CVE-2026-11216MEDIUMChrome File Input UI Spoofing – Patch to 149.0.7827.53
- CVE-2026-11222MEDIUMChrome Tab Strip Domain Spoofing Vulnerability – Patch Guide
- CVE-2026-11225MEDIUMChrome Domain Spoofing Vulnerability – Patch Guidance
- CVE-2026-11227MEDIUMChrome Tab Hover Card Domain Spoofing Vulnerability