CVE-2026-11226: Chrome Android Same-Origin Policy Bypass – CVSS 6.5
A vulnerability in Google Chrome's PreviewTab feature on Android allows attackers to bypass the browser's same-origin policy—a core security boundary that prevents websites from accessing data belonging to other websites. An attacker would need to craft a malicious HTML page and convince a user to perform specific touch gestures (like swiping or tapping) to trigger the bypass. While the underlying Chromium issue is rated Low severity, the CVSS score reflects the real-world impact: an attacker could alter or exfiltrate data from other websites the user is visiting, though not eavesdrop on encrypted traffic or crash the device.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 6.5 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
- Weaknesses (CWE)
- CWE-346
- Affected products
- 2 configuration(s)
- Published / Modified
- 2026-06-04 / 2026-06-17
NVD description (verbatim)
Insufficient policy enforcement in PreviewTab in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker who convinced a user to engage in specific UI gestures to bypass same origin policy via a crafted HTML page. (Chromium security severity: Low)
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-11226 exploits insufficient policy enforcement within PreviewTab, an Android Chrome feature that likely provides a preview or tab-switching mechanism. The vulnerability stems from a CWE-346 (Origin Validation Error) condition where the browser fails to properly validate the origin of content being previewed or displayed. By crafting specific HTML payloads and relying on user interaction via UI gestures, an attacker can circumvent the same-origin policy (SOP), allowing JavaScript execution or data access across origin boundaries. The vulnerability was patched in Chrome 149.0.7827.53 for Android.
Business impact
This vulnerability creates a targeted phishing and data-theft risk for organizations whose employees use Chrome on Android devices. An attacker could steal session cookies, authentication tokens, or sensitive data from banking, email, or SaaS platforms if a user is tricked into visiting a malicious site while authenticated elsewhere. For bring-your-own-device (BYOD) environments, this represents a potential bridge into corporate systems; for mobile-first enterprises, the risk is more direct. The requirement for user interaction (specific gestures) limits widespread exploitation but does not eliminate risk in targeted campaigns.
Affected systems
Google Chrome on Android devices prior to version 149.0.7827.53 is vulnerable. Desktop Chrome and Chrome on iOS are not affected. The vulnerability is specific to the PreviewTab implementation on the Android platform. Organizations should inventory Chrome deployments on Android—both managed (via MDM) and unmanaged (BYOD)—to understand exposure scope.
Exploitability
Exploitation requires two conditions: (1) a crafted HTML page hosted by the attacker, and (2) user interaction in the form of specific UI gestures (e.g., swipe or tap actions within PreviewTab). This is not a zero-interaction or passive vulnerability. An attacker would likely use social engineering, phishing emails, or malicious ads to lure users to the attacker's page. The attack surface is moderate—anyone browsing the web on vulnerable Chrome instances is at risk if they visit a malicious site, but the gesture requirement makes mass, silent exploitation unlikely. The vulnerability has not been flagged for active exploitation in the wild (KEV status: not added).
Remediation
Update Google Chrome on all Android devices to version 149.0.7827.53 or later. For managed environments (MDM/EMM), deploy updates through your mobile device management platform with appropriate staging to minimize disruption. For BYOD environments, notify users and provide clear update instructions; consider blocking or warning users on older Chrome versions via conditional access policies if your organization uses Workspace or other identity platforms. Verify update completion within 2–4 weeks.
Patch guidance
Verify that Chrome on Android has been updated to 149.0.7827.53 or a later stable release. Check version numbers in Chrome Settings > About Chrome, which will auto-update on most Android devices if automatic updates are enabled. For MDM-enrolled devices, confirm deployment through your management console. Given the Low underlying severity and lack of KEV status, standard patch cycles (within 30 days) are acceptable, though critical infrastructure or high-risk sectors should prioritize within 1–2 weeks. Verify that no legacy Android versions (pre-5.0) are still in use, as Chrome support varies by Android version.
Detection guidance
Monitor for unusual cross-origin requests or data exfiltration patterns from Chrome processes, particularly if PreviewTab or preview-related features are in use. Check browser history and network logs for visits to unfamiliar or suspicious domains around the time of suspected compromise. On managed devices, use MDM telemetry to identify Chrome versions still below 149.0.7827.53 and flag for remediation. Look for evidence of session hijacking (unexpected logins, changed passwords) on accounts accessed from vulnerable Chrome instances. Endpoint detection tools should monitor for abnormal data access patterns or credential theft indicators correlated with Chrome process activity.
Why prioritize this
While Chromium's internal rating is Low, the CVSS 6.5 Medium score reflects the integrity impact of same-origin bypass—a fundamental breach of web security. Prioritization should be moderate: patch within 2–4 weeks in most environments, faster (1–2 weeks) if users frequently access sensitive web services (banking, email, corporate apps) on their Android devices, or if BYOD is prevalent. The lack of KEV status and active exploitation reduces urgency, but the nature of the vulnerability (data theft, session hijacking) justifies faster remediation than typical Low-severity issues.
Risk score, explained
The CVSS 6.5 reflects attack vector Network (can be reached over the internet), attack complexity Low (no special conditions needed beyond user interaction), privilege requirement None (unauthenticated attacker), user interaction Required (specific gestures needed), scope Unchanged, confidentiality None (SOP bypass doesn't inherently leak encrypted data without additional payload), integrity High (attacker can modify or access data from other origins), and availability None. The integrity impact is the key driver; an attacker could steal session tokens or modify state, even if they cannot decrypt HTTPS traffic. This is not a critical vulnerability, but it is material enough to warrant measured urgency.
Frequently asked questions
Do I need to patch immediately, or can this wait until my next update window?
No immediate emergency action is required. Since the vulnerability is not in the KEV catalog and has not been actively exploited, you can schedule patching within your standard 2–4 week cycle. However, if your organization uses Android Chrome heavily for sensitive tasks (banking, email, CRM access), prioritize within 1–2 weeks. For security-conscious teams, aim to be patched within 30 days.
Does this affect Chrome on desktop or iOS?
No. This vulnerability is specific to Chrome on Android due to how the PreviewTab feature is implemented on that platform. Desktop Chrome and Chrome on iOS are unaffected, so no action is needed on those platforms.
What exactly is the attacker trying to steal, and how?
An attacker can trick the browser into treating content from one website as if it came from another (same-origin bypass). This allows them to steal session cookies, authentication tokens, or other data stored by legitimate websites. They cannot decrypt HTTPS traffic, but they can access unencrypted data or manipulate DOM content. The attack requires the user to visit a malicious site and perform specific gestures (like swiping in PreviewTab), so targeted phishing or social engineering is the most likely delivery vector.
How do I check if my Android devices are patched?
Open Chrome and go to Settings > About Chrome. If it auto-updates, it should show version 149.0.7827.53 or higher. If you manage devices via MDM, check your management console for Chrome version inventory. For BYOD, send users instructions to check their Chrome version and enable automatic updates if not already enabled.
This analysis is based on the published CVE record and Chromium security advisory. Patch version numbers and affected component details should be verified against the official Google Chrome security release notes. Organizations should adapt remediation timelines to their risk tolerance, device inventory, and the sensitivity of data accessible via their Android Chrome instances. This explainer does not constitute professional security advice; consult your security team and follow your organization's vulnerability management policy. No exploit code or proof-of-concept details are provided; this document is for defensive awareness only. Source: NVD (public-domain), retrieved 2026-07-13. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10010MEDIUMChrome Android Site Isolation Bypass
- CVE-2026-10937MEDIUMChrome Same-Origin Policy Bypass in Password Handling
- CVE-2026-10996MEDIUMChrome Same-Origin Policy Bypass in Web Workers
- CVE-2026-11020MEDIUMChrome Extension XML Cross-Origin Data Leak – Patch to 149.0.7827.53
- CVE-2026-11032MEDIUMChrome Password Manager Cross-Origin Data Leak
- CVE-2026-11036MEDIUMChrome Same-Origin Policy Bypass via DOM Implementation Flaw
- CVE-2026-11048MEDIUMChrome Extension Same-Origin Policy Bypass (Medium, 6.5)
- CVE-2026-11081MEDIUMChrome Canvas Same-Origin Policy Bypass