MEDIUM 6.5

CVE-2026-11270: Chrome Android Cross-Origin Data Leak via UI Flaw

Google Chrome on Android versions before 149.0.7827.53 contain a UI implementation flaw that allows attackers to trick users into visiting specially crafted web pages, potentially exposing sensitive data from other websites the user has visited or is logged into. The vulnerability requires user interaction (clicking a link or visiting a malicious page) but poses a meaningful confidentiality risk by circumventing the browser's cross-origin protections.

Source data · NVD / CISA · public domain

CVSS
3.1 · 6.5 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Weaknesses (CWE)
CWE-352
Affected products
2 configuration(s)
Published / Modified
2026-06-05 / 2026-06-17

NVD description (verbatim)

Inappropriate implementation in UI in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low)

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

This vulnerability stems from an inappropriate implementation in Chrome's Android UI layer that fails to properly enforce cross-origin isolation boundaries. The flaw is classified as a cross-site request forgery (CSRF)-adjacent issue (CWE-352) where a malicious HTML page can induce the browser to leak data intended to be protected by the same-origin policy. The Chromium project rated this as Low severity from a platform perspective, though the resulting CVSS 3.1 score of 6.5 reflects the confidentiality impact when considering the user-facing attack surface and the necessity of user interaction.

Business impact

Organizations managing Android devices in enterprise environments should recognize that compromised confidentiality of cross-origin data could lead to credential theft, session hijacking, or exposure of sensitive information users access through Chrome. While the attack requires social engineering (convincing a user to visit a malicious page), the potential for exfiltration of authentication tokens or personal data accessed across multiple websites represents a material risk to user privacy and account security. Affected users may not realize their data has been leaked, complicating incident detection.

Affected systems

Google Chrome on Android devices running versions prior to 149.0.7827.53 are vulnerable. The vulnerability does not affect Chrome on desktop platforms (Windows, macOS, Linux) or other browsers. Android users should verify their installed Chrome version immediately. Organizations deploying Chrome on Android via Mobile Device Management (MDM) solutions should prioritize updates to 149.0.7827.53 or later.

Exploitability

Exploitation requires a remote attacker to craft a malicious HTML page and convince a user to visit it—for example, through phishing, social media, or compromised advertising. The attack does not require elevated privileges or special network positioning (AV:N/AC:L/PR:N). Once a user clicks the link or lands on the page, the browser's UI implementation flaw can be leveraged to leak cross-origin data without additional user action beyond the initial visit. This is a practical attack vector, though it depends on successful social engineering. There is no indication this vulnerability is being actively exploited in the wild at this time.

Remediation

Update Google Chrome on Android to version 149.0.7827.53 or later. Updates are typically delivered automatically through the Google Play Store, but users can manually check for updates by opening Chrome, navigating to Settings > About Chrome, and confirming the version number. For organizations, MDM policies should enforce automatic updates or mandate manual deployment of the patched version. No workarounds are available; patching is the only remediation.

Patch guidance

Verify and deploy Chrome version 149.0.7827.53 or later on all Android devices in your environment. Establish an MDM policy (if applicable) to enforce automatic updates or to report on non-compliant devices. Users can self-verify by checking Settings > About Chrome in the browser; the version is displayed prominently. Acknowledge that this patch may be rolled out in stages via the Play Store, so not all devices may receive it immediately. Consider using Chrome's enterprise policies to disable older versions if you have control over device provisioning. Test the patched version on a representative device before enterprise-wide rollout to ensure no regression with internal web applications.

Detection guidance

Detection of exploitation attempts is challenging because the attack occurs within a normal browser session without generating distinctive network traffic. Organizations should monitor for unusual data exfiltration patterns or unexpected authentication token usage from user sessions. Endpoint Detection and Response (EDR) tools may observe suspicious JavaScript execution within Chrome's sandbox if the malicious page attempts to extract sensitive data, though the browser's isolation typically limits observability. The most practical detection approach is to ensure Chrome is kept current and monitor for alerts of devices running older versions. Consider user awareness training to recognize phishing links that may host exploit pages.

Why prioritize this

While the CVSS score of 6.5 (MEDIUM) is elevated by the high confidentiality impact (C:H), this should not trigger emergency response. The vulnerability requires user interaction and social engineering, making it fundamentally lower-risk than a remotely exploitable server vulnerability. However, Android's fragmentation means patching timelines vary by device and carrier, prolonging the exposure window. Prioritize based on the number of Android Chrome users in your environment and their exposure to phishing risk. Organizations in sectors with high-value credentials (finance, healthcare, government) should accelerate patching to reduce the window for targeted attacks.

Risk score, explained

The CVSS 3.1 score of 6.5 reflects Attack Vector (Network), Attack Complexity (Low), and Privileges Required (None), yielding a base exploitability of 3.9. The confidentiality impact (High) and the absence of integrity or availability impact yield a base impact of 3.6. The user interaction requirement (User Interaction: Required) and scope unchanged (Scope: Unchanged) keep the score in the MEDIUM range rather than HIGH. This scoring appropriately captures that the flaw is remotely triggerable but dependent on user action, and its impact is confidentiality-only. Organizations should not treat a 6.5 as equivalent to a critical vulnerability, but neither should they deprioritize it indefinitely.

Frequently asked questions

Does this vulnerability affect Chrome on Windows, macOS, or Linux?

No. This vulnerability is specific to Chrome on Android due to an inappropriate UI implementation on that platform. Desktop versions of Chrome are not affected.

What data could an attacker leak with this vulnerability?

An attacker could potentially leak data from other websites the user is logged into or has visited, such as authentication tokens, session cookies, or personal information stored in those sessions. The exact data depends on what the user has accessed and how the malicious page is crafted.

Do I need to do anything if I've already been using Chrome and updating automatically?

If Chrome is set to update automatically (the default on most Android devices), the update to 149.0.7827.53 should have been applied or be in progress. You can verify by opening Chrome and checking Settings > About Chrome. If the version matches 149.0.7827.53 or higher, you are protected.

Is this vulnerability being actively exploited?

There is no public evidence of active exploitation. The vulnerability was disclosed by the Chromium project as part of routine security updates. However, attackers may attempt to exploit it once patches are widely deployed, making timely updates important.

This analysis is based on the CVE description and public advisory data available as of the modification date (June 17, 2026). Security landscape and remediation steps may evolve. Verify patch version numbers and deployment instructions against official Google Chrome and Android security advisories before implementation. SEC.co does not take responsibility for misapplication of patches or compatibility issues arising from updates. This vulnerability analysis is for informational purposes and should be integrated into your organization's broader vulnerability management and risk assessment processes. Source: NVD (public-domain), retrieved 2026-07-13. Analysis generated by SEC.co (claude-haiku-4-5).