CVE-2026-11272: Chrome iOS Reading List Privilege Escalation Vulnerability
A flaw in Google Chrome's Reading List feature on iOS allows attackers to trick users into performing specific actions (like tapping or swiping) that trigger a privilege escalation attack. An attacker would need to craft a malicious webpage and convince the user to interact with it in a particular way. Once exploited, the attacker gains elevated permissions on the device, potentially compromising sensitive data or device functionality.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.8 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-20
- Affected products
- 2 configuration(s)
- Published / Modified
- 2026-06-05 / 2026-06-17
NVD description (verbatim)
Insufficient validation of untrusted input in Reading List in Google Chrome on iOS prior to 149.0.7827.53 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform privilege escalation via a crafted HTML page. (Chromium security severity: Low)
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-11272 stems from insufficient validation of untrusted input within Chrome's Reading List component on iOS. The vulnerability exists in Chrome versions prior to 149.0.7827.53. It requires user interaction through specific UI gestures on a crafted HTML page to succeed. The underlying weakness (CWE-20: Improper Input Validation) allows an unauthenticated remote attacker to escape normal security boundaries and obtain elevated privileges. While Chromium's security team classified this as Low severity internally, the CVSS 3.1 score of 8.8 (HIGH) reflects the severity from an impact perspective due to the broad consequences of privilege escalation.
Business impact
Successful exploitation could allow attackers to compromise user credentials, access private browsing data, steal sensitive information stored in Chrome, or manipulate device behavior without authorization. For organizations where employees use Chrome on personal or corporate iOS devices, this increases risk of credential theft, data exfiltration, and potential lateral movement into enterprise networks. The reliance on user interaction slightly limits attack surface, but the ease of social engineering to trigger the required gestures makes this a meaningful risk.
Affected systems
Google Chrome on Apple iOS devices running versions prior to 149.0.7827.53 are vulnerable. This affects both iPhone and iPad users. The vulnerability does not impact Chrome on Android, Windows, macOS, or Linux. Any iOS user running an outdated Chrome build is at risk if they visit a malicious webpage and perform the targeted UI gesture.
Exploitability
Exploitation requires network-level delivery (AV:N) of a crafted HTML page and user interaction (UI:R), but no special privileges or access are needed to launch the attack. The attack complexity is low (AC:L), meaning straightforward social engineering—such as embedding the malicious page in a phishing email or compromised website—can work. The barrier to exploitation is moderate due to the user interaction requirement, but the technique is not technically sophisticated. This vulnerability is not currently tracked in CISA's Known Exploited Vulnerabilities catalog.
Remediation
Organizations should prioritize updating Chrome on all iOS devices to version 149.0.7827.53 or later. Users should enable automatic app updates on their iOS devices to receive patches without manual intervention. Additionally, security awareness training on avoiding suspicious websites and unexpected UI prompts can reduce risk. For managed environments, MDM solutions should enforce minimum Chrome version policies.
Patch guidance
Apply Chrome version 149.0.7827.53 or later on iOS. Users can check their current version via Settings > Apps > Google Chrome > App Version, or enable automatic updates through the App Store's auto-update setting. Organizations managing iOS devices should confirm patch deployment through their MDM console to ensure devices are compliant. Verify patch application within 30 days of release to minimize exposure window.
Detection guidance
Monitor for users visiting suspicious websites that may host exploit payloads, particularly those shared via phishing campaigns. Inspect HTTP/HTTPS logs for requests to known malicious domains. Look for unusual Reading List activity in browser history or unexpected privilege elevation events on iOS devices. Organizations with endpoint detection and response (EDR) solutions on iOS can flag unusual process spawning or capability usage following Chrome activity. However, detection is challenging without behavioral analytics in place; preventive patching remains the primary control.
Why prioritize this
Although not yet in active exploitation according to public records, the combination of high CVSS impact (8.8), low attack complexity, and reliance on a widely-used mobile browser warrants urgent prioritization. Privilege escalation on mobile devices often goes unnoticed by users and can persist across app boundaries. The moderate user-interaction barrier does not significantly reduce risk given the ease of social engineering. Delayed patching leaves organizations vulnerable to targeted campaigns against high-value employees or device compromise in supply-chain attack scenarios.
Risk score, explained
The CVSS 3.1 score of 8.8 (HIGH) reflects full confidentiality, integrity, and availability impact (C:H/I:H/A:H) resulting from privilege escalation on an unauthenticated, network-accessible vector. The network-based delivery (AV:N) and low complexity (AC:L) increase exploitability. Although Chromium internally rated this as Low severity—likely due to the user-interaction requirement and iOS sandbox mitigations—the actual impact of a successful exploit is severe. The HIGH severity classification appropriately prioritizes this above patch-later vulnerabilities and aligns with attack surface and business consequence.
Frequently asked questions
Do I need to be connected to a specific network or perform any setup for an attacker to target me?
No. The attacker only needs to deliver a crafted webpage to you—either by sending a phishing email, compromising a website you visit, or through other web-based distribution. No network setup or special configuration is required on the victim side. The attack is entirely delivered over the internet.
If I have automatic app updates enabled, am I protected?
Automatic updates help, but only once you upgrade to version 149.0.7827.53 or later. If you have auto-update enabled, your device will pull this patch within hours or days of its release (depending on your settings and Apple's rollout). However, check your current version manually to confirm you're not running an older build, as background updates can sometimes be delayed.
Does this vulnerability affect Chrome on Android phones?
No. This vulnerability is specific to Chrome on iOS. Android users are not affected by CVE-2026-11272. If you use Chrome on Android, you should still keep your browser updated, but this particular flaw is not a concern for Android devices.
What does 'privilege escalation' mean for a mobile app, and what could an attacker do with elevated privileges?
Privilege escalation means an attacker gains access to functionality or data they shouldn't normally be able to reach within or beyond Chrome. On iOS, this could allow them to bypass Safari's security restrictions, read files from other apps, access stored passwords or payment information, or gain deeper control over device behavior. Essentially, they move from being a 'guest' in the app to having 'admin-like' access, even though iOS sandboxing limits the full device takeover.
This analysis is based on publicly disclosed vulnerability information and vendor advisories current as of the publication date. Patch version numbers and technical details should be verified against Google's official Chrome Security Releases page and Apple's security updates. This explainer does not constitute professional security advice; organizations should conduct their own risk assessment and consult with qualified security personnel before implementing remediation. CVSS scores reflect industry-standard severity calculations and may not capture all organization-specific risk factors. Exploit availability and active exploitation status may change; consult CISA's KEV catalog and threat intelligence feeds for current threat landscape updates. Source: NVD (public-domain), retrieved 2026-07-13. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10021HIGHGoogle Chrome USB Validation Flaw – RCE Vulnerability Patch
- CVE-2026-10904HIGHChrome V8 Sandbox Escape Remote Code Execution
- CVE-2026-10911HIGHChrome Sandbox Escape Vulnerability (High Severity)
- CVE-2026-10917HIGHChrome Media Sandbox Escape Vulnerability (High CVSS 8.3)
- CVE-2026-10920HIGHChrome macOS WebShare Sandbox Escape Vulnerability (v149)
- CVE-2026-10922HIGHChrome DevTools Same-Origin Policy Bypass (CVSS 8.8)
- CVE-2026-10969HIGHChrome Extension Privilege Escalation Vulnerability – Patch Guidance
- CVE-2026-10970HIGHChrome Sandbox Escape via InterestGroups Input Validation Flaw