CVE-2026-11277: Chrome iOS Policy Bypass Vulnerability
A vulnerability in Chrome for iOS allows an attacker to bypass certain access controls through a specially crafted HTML page. The issue stems from insufficient enforcement of security policies in the iOS version of Chrome. An attacker would need to trick a user into visiting a malicious webpage, but no special user privileges are required and the attack is straightforward to execute. The primary risk is unauthorized modification of data or application behavior—not data theft or system crashes.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 4.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
- Weaknesses (CWE)
- CWE-284
- Affected products
- 2 configuration(s)
- Published / Modified
- 2026-06-05 / 2026-06-17
NVD description (verbatim)
Insufficient policy enforcement in Chrome for iOS in Google Chrome on iOS prior to 149.0.7827.53 allowed a remote attacker to bypass discretionary access control via a crafted HTML page. (Chromium security severity: Low)
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-11277 is a policy enforcement flaw (CWE-284: Improper Access Control) in Chrome for iOS versions prior to 149.0.7827.53. The vulnerability allows bypass of discretionary access control mechanisms when a user visits a crafted HTML page. The Chromium security team classified this as Low severity at the component level, yet the CVSS 3.1 score of 4.3 (MEDIUM) reflects the network-based attack vector, lack of authentication requirements, and potential for integrity compromise. The vulnerability does not enable remote code execution, confidentiality breaches, or availability attacks.
Business impact
While integrity impact is limited in scope, this vulnerability can undermine user trust in the security of the browser and device. On iOS devices used for sensitive workflows—email, banking, healthcare portals—unauthorized data modification could expose users to social engineering follow-ups or data corruption. Organizations managing corporate iPhone fleets should assess whether unpatched Chrome instances could be vectors for phishing augmentation or session hijacking. The low severity rating suggests business disruption is unlikely, but reputational and compliance considerations warrant timely patching.
Affected systems
Google Chrome on iOS (iPhone OS) versions before 149.0.7827.53 are affected. This includes all releases of Chrome for iOS up to and including 149.0.7827.52. Users on newer patch versions or those running the latest stable release (149.0.7827.53 or higher) are not vulnerable. The vulnerability does not affect Chrome on Android, macOS, Windows, or Linux, nor does it affect Safari or other iOS browsers.
Exploitability
Exploitation requires no special user privileges, authentication, or complex attack setup. An attacker simply crafts a malicious HTML page and relies on user interaction (visiting the page) to trigger the vulnerability. The attack surface is broad—any website, email link, or advertisement could serve as a delivery mechanism. However, the impact is limited to policy bypass rather than critical system compromise, and detection of unusual page behavior might alert observant users. The CVSS vector (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N) confirms this is a low-friction attack with modest consequences.
Remediation
Update Chrome on iOS to version 149.0.7827.53 or later. Users can check their current version in the app settings (usually Settings > About Google Chrome) and enable automatic updates to prevent future gaps. Organizations managing iOS devices should verify that auto-update policies are enabled or push the patch through their mobile device management (MDM) solution. No workarounds or temporary mitigations are available; patching is the only remediation.
Patch guidance
Verify that your iOS devices are running Chrome 149.0.7827.53 or later. Apple's App Store will surface updates automatically if auto-update is enabled. For enterprise deployments, use your MDM platform (Intune, Kandji, Jamf, etc.) to confirm patch compliance and remediate any devices still on pre-149.0.7827.53 versions. Test the patch in a non-production environment first if your organization has custom enterprise configurations. No breaking changes or known compatibility issues have been reported with this patch version.
Detection guidance
Direct detection of this vulnerability's exploitation is challenging without network monitoring of iOS traffic. However, look for: (1) users reporting unexpected changes to bookmarks, settings, or autofill data in Chrome; (2) unusual HTTP requests originating from Chrome on iOS to domains not typically visited; (3) Chrome crashes or unexpected reload behavior. Log access policies on backend services that Chrome communicates with; unauthorized requests from iOS Chrome clients may indicate exploitation. Endpoint detection and response (EDR) on corporate Mac devices connected to the same network may also flag anomalous child processes if Chrome on iOS triggers secondary attacks.
Why prioritize this
This vulnerability merits prompt but not emergency remediation. The MEDIUM CVSS score (4.3), lack of KEV listing, and low Chromium severity rating indicate this is not an active zero-day or widely exploited threat. However, the low barrier to exploitation (no authentication, user click only) and the broad iOS user base mean that opportunistic attackers could leverage it. Prioritize patching for users who access sensitive services (email, banking, healthcare) or who are targets of spear-phishing campaigns. General users should also patch, but this is not a critical incident-response priority.
Risk score, explained
The CVSS 3.1 score of 4.3 (MEDIUM severity) reflects the attack complexity being low, the network-based vector, and lack of privilege requirements, balanced against the limited impact scope. The vulnerability does not enable confidentiality breaches (C:N) or availability disruption (A:N), only integrity compromise (I:L). This is why Chromium's own severity rating is Low, yet the industry-standard CVSS score elevates it to MEDIUM—a reasonable reflection of a real but contained risk. Organizations using CVSS for patch prioritization should not interpret this as critical but also should not deprioritize it below other medium-severity issues.
Frequently asked questions
Will this vulnerability affect my iPhone if I use Safari instead of Chrome?
No. This vulnerability is specific to Google Chrome on iOS. Safari and other browsers are unaffected. If you do not use Chrome on your iOS device, you are not vulnerable.
Can an attacker exploit this without me clicking a link or visiting a website?
No. Exploitation requires user interaction—specifically, visiting a crafted HTML page in Chrome. The attack does not occur in the background or via push notifications. Avoiding suspicious links and staying on trusted websites reduces risk.
Does this vulnerability allow an attacker to steal my passwords or access my banking app?
This vulnerability is limited to bypassing access control policies within Chrome, not exfiltrating data or compromising other apps. However, a successful policy bypass could allow modification of Chrome settings or data, which in turn could enable phishing or social engineering. For critical accounts (banking, email), always verify requests through a second channel and enable two-factor authentication.
How long do I have to patch before this becomes critical?
There is no known active exploitation or imminent deadline. However, delay increases your exposure window. As a rule of thumb, patch within 30 days for medium-severity vulnerabilities affecting broadly used software. If your organization is a target of spear-phishing or state-sponsored threats, prioritize patching sooner.
This analysis is provided for informational purposes. SEC.co makes no warranty regarding accuracy or completeness. Always verify patch version numbers, affected software versions, and vendor guidance against official vendor advisories before deploying patches. Consult your internal security team and risk management processes before prioritizing remediation. This document is not a substitute for professional cybersecurity consultation. Source: NVD (public-domain), retrieved 2026-07-13. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-11017MEDIUMChrome Link Preview Navigation Bypass (CVSS 6.5)
- CVE-2026-11026MEDIUMChrome Extension Navigation Bypass Vulnerability
- CVE-2026-11078MEDIUMChrome FileSystem Same-Origin Policy Bypass – MEDIUM Severity
- CVE-2026-11135MEDIUMChrome Autofill Bypass Allows Credential Misdirection
- CVE-2026-11187MEDIUMChrome Navigation Restriction Bypass Vulnerability
- CVE-2026-11190MEDIUMGoogle Chrome Extension Access Control Bypass (6.5 CVSS)
- CVE-2026-11193MEDIUMChrome Password Manager Access Control Bypass – CVSS 6.5
- CVE-2026-11197MEDIUMChrome Same-Origin Policy Bypass in Workers – Patch v149.0.7827.53