MEDIUM 6.5

CVE-2026-11287: Chrome Android Navigation Bypass Vulnerability Analysis

A vulnerability in Google Chrome on Android allows an attacker who has already compromised the browser's renderer process to bypass navigation controls and direct users to unintended destinations using specially crafted web pages. The attacker must first gain control of the renderer process—a significant prerequisite—but once achieved, can manipulate where the browser navigates without proper restrictions. This affects Chrome versions prior to 149.0.7827.53.

Source data · NVD / CISA · public domain

CVSS
3.1 · 6.5 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Weaknesses (CWE)
CWE-20, CWE-602
Affected products
2 configuration(s)
Published / Modified
2026-06-05 / 2026-06-17

NVD description (verbatim)

Insufficient policy enforcement in Navigation in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to bypass navigation restrictions via a crafted HTML page. (Chromium security severity: Low)

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-11287 is a policy enforcement failure in Chrome's Navigation subsystem on Android. The vulnerability stems from insufficient validation of navigation directives when the renderer process has been compromised. An attacker controlling the renderer can craft HTML content that bypasses the browser's navigation policy controls, enabling arbitrary navigation. The vulnerability is classified under improper input validation (CWE-20) and missing authorization checks (CWE-602). While Chromium rates the severity as Low, the CVSS 3.1 scoring reflects the integrity impact of successful exploitation.

Business impact

For organizations managing Android devices with Chrome, this vulnerability presents a limited but meaningful risk: users whose browsers are already compromised could be silently redirected to malicious or fraudulent sites, potentially enabling phishing, credential harvesting, or exposure to secondary malware. However, the attack chain requires a prior renderer compromise, which limits the immediate attack surface. Enterprises should prioritize patching in environments where browser security is critical or where users access sensitive systems via Chrome.

Affected systems

Google Chrome on Android versions prior to 149.0.7827.53 are affected. This includes both current and slightly older releases on the Android platform. Desktop versions of Chrome are not affected; the vulnerability is specific to the Android implementation of the Navigation system.

Exploitability

Exploitation requires two conditions: (1) an attacker must already control the Chrome renderer process, and (2) the user must interact with a crafted HTML page delivered through that compromised context. The renderer compromise itself might result from a separate vulnerability or attack. The user interaction requirement and the need for prior renderer compromise reduce real-world exploitability compared to direct web-based attack scenarios. The vulnerability is not currently listed in CISA's Known Exploited Vulnerabilities catalog.

Remediation

Update Google Chrome on Android to version 149.0.7827.53 or later. This patch addresses the policy enforcement gap and restores proper navigation restriction controls. Organizations should enforce Chrome updates across managed Android devices through mobile device management (MDM) policies where applicable.

Patch guidance

Patch availability: Google has released Chrome 149.0.7827.53 containing the fix for this vulnerability. Users can update through Google Play Store or automatic update mechanisms. MDM administrators should deploy the update through their management console and verify rollout across enrolled Android devices. Verify the applied version matches 149.0.7827.53 or later before clearing the vulnerability from your tracking systems.

Detection guidance

Detection is challenging at the network level because the crafted HTML is served over standard HTTPS and the malicious navigation may not trigger typical security gateway signatures. Focus on endpoint monitoring: track unexpected navigation events and browser redirects on Android devices, particularly those that occur after suspected renderer compromise indicators. Monitor for unusual permission requests or suspicious app behavior on Android devices running Chrome. Review browser history and navigation logs on compromised devices for anomalous redirect patterns.

Why prioritize this

Despite the Chromium assessment of Low severity, the CVSS score of 6.5 (Medium) reflects the integrity impact of successful exploitation. Prioritize patching in tiers: (1) immediately for devices used by high-value targets or those accessing sensitive services, (2) within 30 days for standard enterprise fleets, (3) monitor for any real-world exploitation activity before forced deployment. The requirement for prior renderer compromise mitigates urgency compared to direct-exploit vulnerabilities, but the integrity impact warrants timely response.

Risk score, explained

The CVSS 3.1 score of 6.5 (Medium severity) is driven by high integrity impact (I:H) coupled with network accessibility (AV:N) and low attack complexity (AC:L). However, the requirement for user interaction (UI:R) and the prerequisite renderer compromise reduce the practical exploitability in comparison to unauthenticated remote code execution vulnerabilities. The Medium classification appropriately reflects a concerning but manageable risk that should not trigger emergency response protocols.

Frequently asked questions

Do I need to patch immediately, or can this wait?

Not an emergency, but timely. The vulnerability requires an attacker to already control the renderer process, which is a non-trivial prerequisite. However, the integrity impact (forced navigation) affects sensitive workflows. Patch within 30 days as part of normal update cycles, sooner if your organization relies on Chrome for secure authentication or sensitive transactions on Android.

Does this affect Chrome on desktop or iOS?

No. This vulnerability is specific to Chrome on Android. The Navigation system implementation differs across platforms, and this policy enforcement gap was identified only in the Android codebase. Desktop and iOS users are not affected and do not require this particular patch.

What can an attacker actually do with this vulnerability?

An attacker who has already compromised the browser's renderer process can force navigation to arbitrary URLs without the user's explicit intent. This enables phishing attacks, drive-by downloads, or redirection to credential-harvesting pages. The attacker cannot execute arbitrary code or access user data directly through this vulnerability alone; they need prior renderer compromise.

How do I know if my device was exploited?

Look for unexpected navigation to unfamiliar sites in your browser history, particularly if you notice redirects happening without clicking links. Monitor for unusual permission requests or unexpected app behavior. If your device has been compromised at the renderer level, you may see other signs of compromise as well, such as crashes, performance issues, or unexpected network traffic.

This analysis is based on official CVE data and Chromium security advisories as of the publication date. Security advisories may be updated as additional information becomes available. Organizations should verify patch version numbers and compatibility with their specific device configurations against Google's official security bulletins and their MDM provider's patch compatibility matrices. No liability is accepted for decisions made based on this analysis. Consult your security team and vendor documentation before deploying patches in production environments. Source: NVD (public-domain), retrieved 2026-07-13. Analysis generated by SEC.co (claude-haiku-4-5).