MEDIUM 4.3

CVE-2026-11285: Chrome iOS UI Spoofing Vulnerability – Patch Guidance

Google Chrome on iOS versions before 149.0.7827.53 contain a flaw that allows attackers to trick users with fake, spoofed user interface elements embedded in malicious web pages. An attacker would need to convince a user to visit a crafted HTML page, but no special privileges are required and the attack can be delivered over the network. The vulnerability does not compromise data confidentiality or availability, but could deceive users about what they are viewing or interacting with.

Source data · NVD / CISA · public domain

CVSS
3.1 · 4.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Weaknesses (CWE)
CWE-451
Affected products
2 configuration(s)
Published / Modified
2026-06-05 / 2026-06-17

NVD description (verbatim)

Inappropriate implementation in Chrome for iOS in Google Chrome on iOS prior to 149.0.7827.53 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-11285 is an inappropriate UI implementation vulnerability in the Chrome for iOS browser engine. The issue stems from inadequate validation or handling of HTML rendering that permits crafted pages to spoof browser UI elements—such as address bars, button text, or security indicators—making it appear as though the user is on a legitimate site or interacting with a trusted interface. The vulnerability is classified under CWE-451 (User Interface Errors and Incorrectness) and carries a CVSS 3.1 score of 4.3 (MEDIUM severity). Exploitation requires user interaction and network access, but no authentication or elevated privileges.

Business impact

This vulnerability primarily enables phishing and social engineering attacks with higher success rates, as attackers can now obscure malicious intent by mimicking trusted interfaces. Organizations with iOS users accessing sensitive web applications through Chrome—particularly for financial, healthcare, or corporate systems—face elevated risk of credential harvesting, account takeover, and information disclosure through deception. While individual data theft per incident may be limited, the ability to scale UI spoofing attacks across many users poses a cumulative reputational and operational risk.

Affected systems

Google Chrome for iOS prior to version 149.0.7827.53 is affected. The vulnerability is specific to the iOS variant and does not impact Chrome on Android, macOS, Windows, or Linux. iPhone OS users running older Chrome builds remain exposed. Organizations should audit deployment of Chrome on managed iOS devices and user bring-your-own-device (BYOD) adoption.

Exploitability

Exploitability is moderate and primarily dependent on user interaction. An attacker must craft a malicious HTML page and trick a user into opening it—via email, social engineering, malicious advertisement, or compromised website. No user privilege elevation is required; any iOS user can trigger the vulnerability. The attack surface is broad because it works against unauthenticated users and requires only network-level delivery. No active exploitation in the wild has been confirmed as of the publication date.

Remediation

Update Google Chrome for iOS to version 149.0.7827.53 or later. Users should enable automatic app updates in the iOS App Store settings to minimize the window of exposure. Organizations should communicate the patch availability to iOS users and consider pushing the update through Mobile Device Management (MDM) solutions if enrolled. No workarounds short of stopping use of Chrome on iOS are available.

Patch guidance

Verify that Chrome for iOS has been updated to 149.0.7827.53 or later by checking Settings > About Google Chrome, which will display the installed version. For managed devices, deploy the patch through your MDM solution and verify completion within 7 days. For unmanaged BYOD devices, send user guidance recommending immediate update through the App Store. Test critical web applications after patching to ensure no compatibility regressions.

Detection guidance

Monitor network traffic logs for suspicious patterns of requests to credential capture sites or unusual page rendering errors from iOS Chrome clients. While the vulnerability itself is client-side, detection of exploitation attempts is difficult without endpoint visibility. Consider endpoint detection and response (EDR) tools with mobile support if deployed. User reports of unusual browser appearance or unexpected authentication prompts should trigger investigation. Review iOS device inventory to identify systems not yet on version 149.0.7827.53 or later.

Why prioritize this

Although the CVSS score is MEDIUM (4.3) and the Chromium severity rating is LOW, the practical impact on business security justifies moderate-to-high priority for iOS-heavy organizations. UI spoofing is a foundational tactic in social engineering and phishing, and the combination of ease of delivery and user-facing impact makes this a credible risk to identity and account security. Organizations with financial or healthcare users on iOS should prioritize patching within 7 days. Lower priority for organizations with primarily Android or desktop Chrome deployments.

Risk score, explained

The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N) reflects a network-accessible, low-complexity attack requiring user interaction and resulting in minor integrity impact with no confidentiality or availability loss. The score of 4.3 places it in the MEDIUM range. However, integrity impact in the context of UI spoofing is understated in the numeric score because the real-world impact—user deception leading to credential loss—is not directly quantified by CVSS. Security teams should treat this as MEDIUM-HIGH priority if users handle sensitive transactions or credentials via Chrome on iOS.

Frequently asked questions

Does this vulnerability affect Chrome on other platforms like Android or macOS?

No. CVE-2026-11285 is specific to Chrome on iOS. Users of Chrome on Android, macOS, Windows, and Linux are not affected. However, each platform has its own set of vulnerabilities, and all browser versions should be kept current.

Can attackers steal passwords or data directly through this vulnerability?

The vulnerability does not directly compromise data confidentiality. However, by spoofing the browser UI, attackers can convince users to enter credentials or sensitive data into fake forms or login screens, which can then be stolen. This is an indirect but serious risk.

Do I need to do anything special to update Chrome on iOS?

No. Go to the App Store on your iOS device, navigate to your account, and check for updates. Chrome should appear if a new version is available. Enable automatic app updates in Settings > App Store > App Updates for hands-free patching in the future.

Is there any evidence of active attacks exploiting this vulnerability?

As of the publication date (June 2026), CVE-2026-11285 has not been added to the CISA Known Exploited Vulnerabilities (KEV) catalog, meaning active exploitation in the wild has not been confirmed. However, organizations should not delay patching, as UI spoofing techniques are well-established in phishing campaigns.

This analysis is based on publicly available vulnerability data and vendor advisories current as of June 2026. Patch versions and remediation timelines should be verified against official Google Chrome and Apple security bulletins. SEC.co makes no warranty regarding the completeness or timeliness of this intelligence. Organizations should conduct their own risk assessments and testing before deploying patches in production environments. This document is for informational purposes only and does not constitute legal or professional security advice. Source: NVD (public-domain), retrieved 2026-07-13. Analysis generated by SEC.co (claude-haiku-4-5).