LOW 3.1

CVE-2026-11247: Chrome CustomTabs Cross-Origin Data Leak on Android

A flaw in Google Chrome's CustomTabs feature on Android allows an attacker to leak data across website boundaries through a specially crafted webpage. The vulnerability requires user interaction and is difficult to exploit, affecting Android devices running Chrome versions before 149.0.7827.53. While the risk is low, it represents a potential privacy leak in a widely used mobile browser component.

Source data · NVD / CISA · public domain

CVSS
3.1 · 3.1 LOW · CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N
Weaknesses (CWE)
CWE-693
Affected products
2 configuration(s)
Published / Modified
2026-06-05 / 2026-06-17

NVD description (verbatim)

Insufficient policy enforcement in CustomTabs in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low)

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-11247 involves insufficient policy enforcement in CustomTabs, a Chrome component that displays third-party web content in a custom browser interface on Android. The vulnerability permits cross-origin data leakage via a crafted HTML page. CustomTabs are commonly used by Android applications to render web content without launching the full browser; the policy gap allows an attacker to circumvent origin isolation protections in this context. The flaw is rooted in weak enforcement mechanisms (CWE-693: Incorrect Default Comparison) that fail to properly validate cross-origin boundaries. Chromium's own assessment classified this as Low severity, and it requires both user interaction and specific preconditions to trigger.

Business impact

The business impact is constrained by the vulnerability's low severity and exploitation barriers. Organizations shipping Android applications that leverage Chrome CustomTabs should monitor for patches to maintain user privacy assurances. For typical enterprises, this is unlikely to trigger immediate incident response, but privacy-sensitive applications—particularly those handling authentication flows or personal data—should prioritize update deployment. The reputational risk is low unless an organization's application is specifically targeted and data exposure occurs.

Affected systems

Google Chrome on Android versions prior to 149.0.7827.53 are vulnerable. Any Android application using Chrome CustomTabs to display third-party web content is potentially affected. Desktop Chrome and Chrome on other platforms are not impacted. The vulnerability is specific to the Android implementation of CustomTabs functionality.

Exploitability

Exploitability is low. An attacker must craft a malicious HTML page and convince a user to navigate to it within a CustomTabs context, likely within a vulnerable application. The attack chain requires user interaction and relies on specific environmental conditions; automated or remote exploitation without user involvement is not feasible. No public exploit code or active exploitation has been reported, and the flaw is not tracked as a known exploited vulnerability (KEV).

Remediation

Update Google Chrome on Android to version 149.0.7827.53 or later. Developers of Android applications using CustomTabs should verify they are building against the latest Chrome support library and encourage users to keep their browser updated. No workarounds exist; patching is the only mitigation.

Patch guidance

End-users should enable automatic updates in the Google Play Store to receive Chrome 149.0.7827.53 and later. Application developers should test their CustomTabs implementations against the patched Chrome version to ensure compatibility. Patch deployment is routine and does not require special configuration or compatibility checks for most users. Verify availability through Google's official Chrome release notes and the Android Security & Privacy Year in Review for confirmation of inclusion in the June 2026 security update.

Detection guidance

Detection is primarily reactive. Monitor for user reports of unexpected data exposure within applications using CustomTabs. Network-based detection of the attack pattern is difficult because the malicious payload is delivered as a crafted HTML page. Endpoint detection can focus on Chrome crash dumps or unexpected memory access patterns, but these are not reliable indicators. The best detection strategy is confirming device Chrome versions and CustomTabs library versions across your fleet; devices running Chrome older than 149.0.7827.53 remain vulnerable until patched.

Why prioritize this

Prioritize this vulnerability in your patch management workflow based on Android device prevalence in your environment and adoption of applications using CustomTabs. For most organizations, this is a low-priority patch because exploitation requires user interaction, the severity is acknowledged as Low, and no active exploitation has been reported. However, applications in privacy-sensitive domains (financial services, healthcare) or those processing sensitive authentication flows via CustomTabs should be prioritized for testing and update cycles. Organizations with strict compliance requirements around data isolation may elevate this slightly due to its cross-origin data leakage nature.

Risk score, explained

The CVSS 3.1 score of 3.1 (Low severity) reflects the limited scope and user-interaction requirement. The attack vector is Network, indicating the malicious page must be served over the internet, but the Attack Complexity is High, acknowledging that specific conditions must be met. Privileges are not required, but User Interaction is mandatory—a user must navigate to the attacker's page within a vulnerable application context. The scope is Unchanged (impact is limited to the user's own Chrome instance), Confidentiality impact is Low (partial data disclosure), and there is no Integrity or Availability impact. This scoring aligns with Chromium's Low severity classification.

Frequently asked questions

Does this affect Chrome on my desktop or laptop?

No. CVE-2026-11247 is specific to Chrome on Android and does not impact Windows, macOS, or Linux versions of Chrome.

What data could be leaked?

The vulnerability allows leakage of cross-origin data—information that should be isolated between different websites or services. The exact data exposed depends on what the attacker's crafted page targets and what data is available within the CustomTabs context. It is not a universal credential or full-device data leak.

Is this actively being exploited in the wild?

No. As of the publication date, there is no evidence of active exploitation, and the vulnerability is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog.

Do I need to update immediately?

Update on your normal patch cycle. For most users and organizations, this is a routine update that can be deployed without urgency. If your environment relies heavily on privacy-sensitive applications using CustomTabs, prioritize it within your update schedule.

This analysis is based on publicly available vulnerability data as of the publication and modification dates provided. CVSS scores, affected versions, and patch information reflect the official Chromium and Google security advisories; verify patch version numbers against Google's official Chrome release notes before deployment. No exploit code or weaponized proof-of-concept is provided. This vulnerability analysis is for informational purposes and does not constitute legal, compliance, or professional security advice. Organizations should conduct their own risk assessment and testing before applying patches to production environments. Source: NVD (public-domain), retrieved 2026-07-13. Analysis generated by SEC.co (claude-haiku-4-5).