MEDIUM 5.0

CVE-2026-11290: Chrome Android Integer Overflow DoS Vulnerability – Patch Guide

An integer overflow vulnerability exists in the WebView component of Google Chrome on Android devices running versions prior to 149.0.7827.53. A local attacker with limited privileges can exploit this flaw by tricking a user into opening a specially crafted file, leading to a denial of service that crashes the browser or WebView. This is a local attack that requires user interaction and does not compromise confidentiality or integrity.

Source data · NVD / CISA · public domain

CVSS
3.1 · 5.0 MEDIUM · CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H
Weaknesses (CWE)
CWE-190, CWE-472
Affected products
2 configuration(s)
Published / Modified
2026-06-05 / 2026-06-17

NVD description (verbatim)

Integer overflow in WebView in Google Chrome on Android prior to 149.0.7827.53 allowed a local attacker to cause a denial of service via a malicious file. (Chromium security severity: Low)

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-11290 is an integer overflow bug (CWE-190) located in Chrome's WebView implementation on Android. The vulnerability occurs when WebView processes untrusted input without proper bounds checking, allowing numeric values to exceed their intended limits. When an integer overflows, subsequent operations may access invalid memory regions or trigger error conditions. The flaw also involves improper resource validation (CWE-472), meaning the application fails to validate resources before use. Exploitation requires local file system access and user interaction—specifically, the user must open a malicious file through the WebView. Google has assigned this a Low security severity from the Chromium perspective, though the CVSS v3.1 score reflects moderate impact due to the availability impact potential.

Business impact

Organizations deploying Chrome or Chrome-based applications on Android devices face availability risk if users encounter malicious files designed to crash the browser. While the attack is local and non-destructive to data, repeated exploitation could disrupt productivity. The low barrier to user interaction (opening a file) and the broad user base of Android devices mean this could affect organizations with significant mobile device deployments. However, the attack does not enable data theft or system compromise, limiting financial or reputational harm.

Affected systems

Google Chrome on Android prior to version 149.0.7827.53 is affected. This includes any Android device running a vulnerable Chrome version, as well as Android apps that embed Chrome's WebView component (a shared system library used by third-party browsers and apps). Organizations should verify Chrome version numbers on managed Android devices and assess exposure through Chrome usage and WebView embedding in custom applications.

Exploitability

Exploitation requires a local attacker, user interaction, and low privileges. An attacker must convince or socially engineer a user to open a malicious file—this could occur via email attachments, malicious downloads, or compromised websites offering file downloads. The attack is not remotely exploitable and does not require elevated privileges on the device. The requirement for user interaction moderates the risk profile, though user education and file type restrictions can help mitigate exposure. There is no evidence of public exploit code or active exploitation in the wild.

Remediation

Users and administrators should update Google Chrome on Android devices to version 149.0.7827.53 or later. On managed Android deployments, use mobile device management (MDM) solutions to enforce automatic updates or enforce minimum Chrome version policies. For organizations embedding WebView in custom applications, ensure the underlying Android system and any bundled WebView components are patched. End users should also avoid opening files from untrusted sources and consider disabling automatic file downloads in Chrome settings.

Patch guidance

Update Chrome from the Google Play Store or use automated update mechanisms. Verify the installed version through Chrome Settings > About Chrome, which will also check for pending updates. Organizations with managed Android devices should configure MDM policies to require Chrome version 149.0.7827.53 or later. For app developers using WebView, verify that the system WebView component on target devices is current; on Android 10 and later, Chrome/WebView updates are delivered via the Play Store. Test updates in a non-production environment first to ensure compatibility with internal applications and workflows.

Detection guidance

Monitor Chrome crash logs and WebView error reports on managed devices for unexpected crashes linked to file handling. Endpoint detection and response (EDR) solutions on Android should flag suspicious file access patterns or WebView crashes correlated with newly downloaded or opened files. Network-based detection is limited due to the local nature of this vulnerability. Behavioral signals—such as users reporting repeated Chrome crashes after opening files—may indicate exploitation attempts. Review browser history and file access logs for unusual file types or sources preceding crashes.

Why prioritize this

Although the CVSS score is 5.0 (Medium), the actual risk is best considered in organizational context. The vulnerability requires local access and user interaction, limiting spontaneous exploitation. However, Android's widespread use, the ease of social engineering file downloads, and the availability impact (denial of service) warrant prompt patching for organizations with managed mobile devices. The absence of KEV status and low Chromium severity rating suggest this is not an immediate critical threat, but it should be addressed in regular patch cycles within 30–60 days depending on organizational risk appetite and Android device dependency.

Risk score, explained

The CVSS v3.1 score of 5.0 reflects a Medium severity rating. The attack vector is Local (AV:L), requiring the attacker to have local file system access or ability to place a file where the victim can open it. Attack Complexity is Low (AC:L), meaning successful exploitation does not require unusual circumstances. Privileges Required is Low (PR:L), indicating a local user context is sufficient. User Interaction is Required (UI:R), as the victim must open the malicious file. The impact assessment shows no loss of Confidentiality or Integrity (C:N, I:N), but High availability impact (A:H), reflecting the denial of service potential. The Scope is Unchanged (S:U), meaning the impact is limited to the affected component and device. This score appropriately captures a localized but manageable risk.

Frequently asked questions

Can this vulnerability be exploited remotely or does it require local access?

Exploitation requires local access to the device and user interaction. The attacker must convince the user to open a malicious file, either by placing it on the device or via social engineering (email, messaging, downloads). It is not remotely exploitable over a network.

Does this vulnerability compromise user data or allow unauthorized access to the device?

No. The vulnerability causes only a denial of service (application crash). It does not enable data theft, credential compromise, or unauthorized access to device files or accounts. Confidentiality and integrity remain unaffected.

Do third-party Android browsers or apps that use WebView need to be updated?

Android system WebView is updated independently through the Google Play Store on Android 5.0 and later. Third-party browsers (such as Firefox or Samsung Internet) have their own rendering engines and are not affected by this Chrome WebView vulnerability. However, any custom app that embeds the system WebView should inherit security updates automatically once the device is patched.

Is this vulnerability being actively exploited in the wild?

There is no indication of active exploitation or public exploit code for CVE-2026-11290. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog. Threat actors typically focus on more impactful flaws, making this a lower priority from an incident response perspective, though proactive patching remains important.

This analysis is provided for informational purposes and reflects publicly available information as of the publication and modification dates noted in the source data. Patch version numbers and CVE references are based on vendor advisories; verify against Google's official Chrome release notes before deployment. CVSS scores represent quantitative risk assessment but should be contextualized within your organization's threat landscape and asset inventory. Exploitation scenarios and detection methods are general guidance; actual risk depends on your environment, user behavior, and Android device configuration. Always test patches in non-production environments and maintain current backups before large-scale updates. This page does not constitute security consulting or compliance advice specific to your organization. Source: NVD (public-domain), retrieved 2026-07-13. Analysis generated by SEC.co (claude-haiku-4-5).