CVE-2026-11287: Chrome Android Navigation Bypass Vulnerability Analysis
A vulnerability in Google Chrome on Android allows an attacker who has already compromised the browser's renderer process to bypass navigation controls and direct users to unintended destinations using specially crafted web pages. The attacker must first gain control of the renderer process—a significant prerequisite—but once achieved, can manipulate where the browser navigates without proper restrictions. This affects Chrome versions prior to 149.0.7827.53.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 6.5 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
- Weaknesses (CWE)
- CWE-20, CWE-602
- Affected products
- 2 configuration(s)
- Published / Modified
- 2026-06-05 / 2026-06-17
NVD description (verbatim)
Insufficient policy enforcement in Navigation in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to bypass navigation restrictions via a crafted HTML page. (Chromium security severity: Low)
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-11287 is a policy enforcement failure in Chrome's Navigation subsystem on Android. The vulnerability stems from insufficient validation of navigation directives when the renderer process has been compromised. An attacker controlling the renderer can craft HTML content that bypasses the browser's navigation policy controls, enabling arbitrary navigation. The vulnerability is classified under improper input validation (CWE-20) and missing authorization checks (CWE-602). While Chromium rates the severity as Low, the CVSS 3.1 scoring reflects the integrity impact of successful exploitation.
Business impact
For organizations managing Android devices with Chrome, this vulnerability presents a limited but meaningful risk: users whose browsers are already compromised could be silently redirected to malicious or fraudulent sites, potentially enabling phishing, credential harvesting, or exposure to secondary malware. However, the attack chain requires a prior renderer compromise, which limits the immediate attack surface. Enterprises should prioritize patching in environments where browser security is critical or where users access sensitive systems via Chrome.
Affected systems
Google Chrome on Android versions prior to 149.0.7827.53 are affected. This includes both current and slightly older releases on the Android platform. Desktop versions of Chrome are not affected; the vulnerability is specific to the Android implementation of the Navigation system.
Exploitability
Exploitation requires two conditions: (1) an attacker must already control the Chrome renderer process, and (2) the user must interact with a crafted HTML page delivered through that compromised context. The renderer compromise itself might result from a separate vulnerability or attack. The user interaction requirement and the need for prior renderer compromise reduce real-world exploitability compared to direct web-based attack scenarios. The vulnerability is not currently listed in CISA's Known Exploited Vulnerabilities catalog.
Remediation
Update Google Chrome on Android to version 149.0.7827.53 or later. This patch addresses the policy enforcement gap and restores proper navigation restriction controls. Organizations should enforce Chrome updates across managed Android devices through mobile device management (MDM) policies where applicable.
Patch guidance
Patch availability: Google has released Chrome 149.0.7827.53 containing the fix for this vulnerability. Users can update through Google Play Store or automatic update mechanisms. MDM administrators should deploy the update through their management console and verify rollout across enrolled Android devices. Verify the applied version matches 149.0.7827.53 or later before clearing the vulnerability from your tracking systems.
Detection guidance
Detection is challenging at the network level because the crafted HTML is served over standard HTTPS and the malicious navigation may not trigger typical security gateway signatures. Focus on endpoint monitoring: track unexpected navigation events and browser redirects on Android devices, particularly those that occur after suspected renderer compromise indicators. Monitor for unusual permission requests or suspicious app behavior on Android devices running Chrome. Review browser history and navigation logs on compromised devices for anomalous redirect patterns.
Why prioritize this
Despite the Chromium assessment of Low severity, the CVSS score of 6.5 (Medium) reflects the integrity impact of successful exploitation. Prioritize patching in tiers: (1) immediately for devices used by high-value targets or those accessing sensitive services, (2) within 30 days for standard enterprise fleets, (3) monitor for any real-world exploitation activity before forced deployment. The requirement for prior renderer compromise mitigates urgency compared to direct-exploit vulnerabilities, but the integrity impact warrants timely response.
Risk score, explained
The CVSS 3.1 score of 6.5 (Medium severity) is driven by high integrity impact (I:H) coupled with network accessibility (AV:N) and low attack complexity (AC:L). However, the requirement for user interaction (UI:R) and the prerequisite renderer compromise reduce the practical exploitability in comparison to unauthenticated remote code execution vulnerabilities. The Medium classification appropriately reflects a concerning but manageable risk that should not trigger emergency response protocols.
Frequently asked questions
Do I need to patch immediately, or can this wait?
Not an emergency, but timely. The vulnerability requires an attacker to already control the renderer process, which is a non-trivial prerequisite. However, the integrity impact (forced navigation) affects sensitive workflows. Patch within 30 days as part of normal update cycles, sooner if your organization relies on Chrome for secure authentication or sensitive transactions on Android.
Does this affect Chrome on desktop or iOS?
No. This vulnerability is specific to Chrome on Android. The Navigation system implementation differs across platforms, and this policy enforcement gap was identified only in the Android codebase. Desktop and iOS users are not affected and do not require this particular patch.
What can an attacker actually do with this vulnerability?
An attacker who has already compromised the browser's renderer process can force navigation to arbitrary URLs without the user's explicit intent. This enables phishing attacks, drive-by downloads, or redirection to credential-harvesting pages. The attacker cannot execute arbitrary code or access user data directly through this vulnerability alone; they need prior renderer compromise.
How do I know if my device was exploited?
Look for unexpected navigation to unfamiliar sites in your browser history, particularly if you notice redirects happening without clicking links. Monitor for unusual permission requests or unexpected app behavior. If your device has been compromised at the renderer level, you may see other signs of compromise as well, such as crashes, performance issues, or unexpected network traffic.
This analysis is based on official CVE data and Chromium security advisories as of the publication date. Security advisories may be updated as additional information becomes available. Organizations should verify patch version numbers and compatibility with their specific device configurations against Google's official security bulletins and their MDM provider's patch compatibility matrices. No liability is accepted for decisions made based on this analysis. Consult your security team and vendor documentation before deploying patches in production environments. Source: NVD (public-domain), retrieved 2026-07-13. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-0018MEDIUMAndroid AccessibilityManagerService Denial of Service Vulnerability
- CVE-2026-0051MEDIUMAndroid UBSan Runtime Denial of Service Vulnerability
- CVE-2026-0070MEDIUMAndroid DevicePolicyManagerService Local Denial of Service Vulnerability
- CVE-2026-0085MEDIUMAndroid Contact Handler Denial of Service Vulnerability
- CVE-2026-10004MEDIUMChrome UI Spoofing Vulnerability – Password Dialog Hijacking
- CVE-2026-10912MEDIUMChrome Extension Same-Origin Policy Bypass (CVSS 6.5)
- CVE-2026-10916MEDIUMChrome DevTools UXSS Vulnerability
- CVE-2026-10938MEDIUMChrome Site Isolation Bypass via Input Validation Flaw