CVE-2026-11275: Chrome Android Navigation Bypass via Renderer Compromise
A flaw in how Google Chrome on Android displays page information allows an attacker who has already compromised Chrome's rendering engine to bypass navigation security controls. An attacker would need to trick a user into viewing a specially crafted webpage after gaining control of the browser's internal processes. The vulnerability is rated Medium severity because while it requires significant pre-existing compromise, it enables attackers to circumvent protections that prevent unauthorized navigation to restricted pages.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 6.5 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
- Weaknesses (CWE)
- CWE-284
- Affected products
- 2 configuration(s)
- Published / Modified
- 2026-06-05 / 2026-06-17
NVD description (verbatim)
Inappropriate implementation in Page Info in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to bypass navigation restrictions via a crafted HTML page. (Chromium security severity: Low)
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-11275 stems from an inappropriate implementation in Chrome's Page Info component on Android. The vulnerability resides in the renderer process security boundary; an attacker with renderer-level code execution can craft HTML content that, when processed, bypasses the browser's navigation restrictions. The flaw is classified under CWE-284 (Improper Access Control) and was assigned Low severity by the Chromium security team, though the CVSS 3.1 scoring (6.5 Medium) reflects the practical impact when combined with renderer compromise. The vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N indicates network attack feasibility with user interaction required, high integrity impact (unauthorized navigation), and no confidentiality or availability consequences.
Business impact
Organizations relying on Chrome-based mobile workflows face a specific but limited risk. This vulnerability only threatens users whose Chrome renderer process has already been compromised—a prerequisite suggesting prior malware infection or exploitation of a separate Chrome flaw. An attacker leveraging this flaw could redirect users from safe applications or login flows to phishing pages or malicious domains without typical browser safeguards. For enterprise environments using Chrome on managed Android devices, this represents an incremental risk that compounds other browser-level compromises rather than a standalone attack surface.
Affected systems
Google Chrome on Android versions prior to 149.0.7827.53 are affected. Desktop Chrome and Chrome on other platforms are not impacted by this specific flaw. The vulnerability is specific to Android's implementation of the Page Info feature and does not extend to iOS Safari, Firefox, or other browsers. Organizations should verify their deployed Chrome versions across Android endpoints.
Exploitability
Exploitation requires a two-stage attack: first, the attacker must compromise Chrome's renderer process through a separate vulnerability or malware infection; second, they must serve a crafted HTML page to the compromised browser. While the initial compromise is challenging, once achieved, triggering this bypass is straightforward. The vulnerability is not currently tracked in the CISA Known Exploited Vulnerabilities (KEV) catalog, suggesting limited active exploitation in the wild to date. However, the relatively low barrier to exploitation post-compromise warrants timely patching.
Remediation
Update Google Chrome on Android to version 149.0.7827.53 or later. Users should enable automatic Chrome updates in their Android device settings to ensure patches are deployed promptly. For managed enterprise Android deployments, administrators should use Mobile Device Management (MDM) policies to enforce Chrome version pinning or auto-update configurations. No workarounds exist; patching is the only mitigation.
Patch guidance
Patch deployment should prioritize devices running Chrome older than 149.0.7827.53. Most users on auto-update will receive this patch automatically; however, organizations with MDM controls should verify deployment within two weeks of the patch release. The patch is incremental and does not require device restart. For Android Enterprise customers, ensure that Chrome updates are not blocked by organizational policies or custom ROM configurations. Users on older Android OS versions (e.g., Android 8 or earlier) should confirm their device receives the Chrome update, as some older devices may fall out of the Chrome support window.
Detection guidance
Detection is challenging because the exploit runs entirely within the browser renderer process and leaves minimal forensic artifacts. Endpoint Detection and Response (EDR) solutions should monitor for suspicious Chrome child processes spawning unexpected network connections or file operations. Security teams can review Chrome update compliance metrics via MDM consoles to identify devices lagging behind version 149.0.7827.53. Monitor user reports of unexpected page redirects or navigation anomalies in Chrome on Android, which may indicate prior renderer compromise. Web proxies and DNS logging may capture unusual navigation patterns if crafted HTML pages attempt to redirect to known malicious domains.
Why prioritize this
Despite the Medium CVSS score, this vulnerability should not be treated as an emergency. The requirement for prior renderer process compromise significantly limits immediate threat surface. However, it should be patched within standard maintenance windows (1–3 weeks) because: (1) it represents an additional capability for already-compromised browsers, (2) bundling this patch with routine Chrome updates is operationally efficient, and (3) delaying exposes devices to cumulative browser risk. Organizations with high-risk profiles (finance, government, critical infrastructure) managing sensitive user flows on Chrome should prioritize this patch slightly higher.
Risk score, explained
The CVSS 3.1 score of 6.5 Medium reflects the conditional nature of the risk. High integrity impact (I:H) stems from the ability to redirect users against their intent, violating browser security expectations. However, attack vector (AV:N) and attack complexity (AC:L) assume the renderer is already compromised, which significantly constrains the practical attack surface compared to a remote code execution flaw. The lack of confidentiality (C:N) and availability (A:N) impact limits the score further. Organizations should interpret this as 'urgent to patch during the next maintenance cycle' rather than 'drop everything and patch today.'
Frequently asked questions
Does this affect Chrome on Windows, macOS, or Linux?
No. This vulnerability is specific to Chrome on Android due to differences in how the Page Info component is implemented across platforms. Desktop versions of Chrome are not affected by CVE-2026-11275.
What does 'renderer process compromise' mean, and how likely is it?
The renderer process is Chrome's isolated engine that runs webpage code. A compromise requires the attacker to first exploit a separate Chrome vulnerability, achieve malware infection, or chain this flaw with another weakness. Standalone, it is not exploitable; it only amplifies the impact of prior compromise. Active renderer exploits are relatively rare but do occur, making this a secondary risk to monitor.
Can I detect if my Chrome has been compromised via this flaw?
Detecting renderer compromise is difficult because it occurs in an isolated process. Look for signs of browser hijacking: unexpected redirects, new extensions you did not install, or unusual network activity from the Chrome process. Enable Chrome's Safe Browsing and check your Android device's app permissions to see if Chrome has unusual access grants. If suspected, perform a full device security scan and consider a factory reset.
Is there a public exploit or proof-of-concept code available?
As of the published date, this vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog and no public exploit has been documented. However, motivated threat actors may develop exploits once the vulnerability is widely disclosed, which reinforces the need for timely patching.
This analysis is based on publicly available information as of the vulnerability publication date. CVSS scores and severity ratings are provided by the vendor and should be verified against the official Chromium security advisory. Patch version numbers (149.0.7827.53) are derived from the source data; verify against your vendor's official security bulletin before deployment. This explainer does not constitute security advice and should not replace consultation with your organization's security team or the vendor's official guidance. No guarantee is made regarding the completeness or accuracy of exploitation requirements, and the threat landscape may evolve after publication. Source: NVD (public-domain), retrieved 2026-07-13. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-11017MEDIUMChrome Link Preview Navigation Bypass (CVSS 6.5)
- CVE-2026-11026MEDIUMChrome Extension Navigation Bypass Vulnerability
- CVE-2026-11078MEDIUMChrome FileSystem Same-Origin Policy Bypass – MEDIUM Severity
- CVE-2026-11135MEDIUMChrome Autofill Bypass Allows Credential Misdirection
- CVE-2026-11187MEDIUMChrome Navigation Restriction Bypass Vulnerability
- CVE-2026-11190MEDIUMGoogle Chrome Extension Access Control Bypass (6.5 CVSS)
- CVE-2026-11193MEDIUMChrome Password Manager Access Control Bypass – CVSS 6.5
- CVE-2026-11197MEDIUMChrome Same-Origin Policy Bypass in Workers – Patch v149.0.7827.53