HIGH 7.7

CVE-2026-11297: Chrome Android Reader Mode Navigation Bypass Vulnerability

A vulnerability in Google Chrome's Reader Mode on Android allows local attackers to bypass navigation restrictions by providing a specially crafted file. While the underlying input validation flaw is classified as low severity by Google's Chromium team, the CVSS scoring reflects the potential for high-impact integrity and availability consequences when successfully exploited. This is a local-only attack, meaning an attacker must already have some level of access to the device to deliver the malicious file.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.7 HIGH · CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
Weaknesses (CWE)
CWE-20
Affected products
2 configuration(s)
Published / Modified
2026-06-05 / 2026-06-17

NVD description (verbatim)

Insufficient validation of untrusted input in Reader Mode in Google Chrome on Android prior to 149.0.7827.53 allowed a local attacker to bypass navigation restrictions via a malicious file. (Chromium security severity: Low)

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-11297 stems from insufficient validation of untrusted input within the Reader Mode component of Google Chrome for Android versions prior to 149.0.7827.53. The vulnerability is rooted in CWE-20 (Improper Input Validation) and permits a local attacker to circumvent navigation restrictions through a crafted file. Despite Chromium's internal severity assessment of 'Low,' the CVSS 3.1 score of 7.7 indicates the attack requires only local access (no privilege escalation) and no user interaction, with significant potential impacts on integrity and availability.

Business impact

Organizations managing Android devices with Chrome as the primary browser should recognize the practical risk: an attacker with local file system access can bypass intended navigation controls, potentially preventing users from visiting legitimate content or forcing them down attacker-controlled paths. In regulated environments, this could affect compliance monitoring and controlled web access policies. While the impact is not confidentiality-focused, the integrity and availability consequences could disrupt business workflows, particularly in shared or less-secured device deployments.

Affected systems

Google Chrome for Android versions before 149.0.7827.53 are affected. The vulnerability is specific to Android and does not apply to Chrome on other platforms. Organizations running Chrome on Android devices should verify their deployed versions against the patched release.

Exploitability

Exploitation requires local access to the affected Android device and the ability to place or deliver a malicious file to the system. No user interaction or special privileges are needed once file access is achieved. While not remotely exploitable, the combination of low barriers to local file manipulation on Android and the lack of required user interaction makes this moderately exploitable in scenarios involving shared devices, managed deployments with weak endpoint controls, or devices physically accessible to potential attackers.

Remediation

Update Google Chrome on Android to version 149.0.7827.53 or later. Verify that your device management system or mobile device management (MDM) solution is configured to automatically push Chrome updates to enrolled Android devices. For organizations that cannot immediately update, consider restricting local file upload and sharing mechanisms on shared devices and reviewing access controls to sensitive directories.

Patch guidance

Patch availability: Google Chrome version 149.0.7827.53 and later address this vulnerability. Android users can check their Chrome version by opening Settings > About Chrome, which typically triggers an automatic update check. Enterprise deployments should use MDM solutions to enforce the minimum version requirement across enrolled devices. Verify patch deployment in your environment before considering the vulnerability mitigated.

Detection guidance

Monitor for anomalous file access patterns on Android devices, particularly attempts to interact with Reader Mode cache or configuration directories. While signature-based detection is limited without access to the malicious file itself, security teams can audit device logs for unauthorized file delivery or modification events in Chrome's data directories. EDR tools with Android support may flag suspicious file operations related to Chrome processes. Additionally, monitor for reports of unexpected navigation behavior or users being unable to access intended sites through Reader Mode.

Why prioritize this

While Chromium classified this as 'Low' severity internally, the CVSS 7.7 HIGH score reflects the confluence of ease of local exploitation (no privileges or user interaction required) and meaningful business impact on integrity and availability. Organizations should prioritize patching Android Chrome deployments in environments where device sharing or physical accessibility to endpoints is a concern. The absence of KEV designation suggests limited active exploitation in the wild, but this should not deter timely patching.

Risk score, explained

The CVSS 3.1 score of 7.7 is driven by: Attack Vector (Local) indicating accessibility is restricted to local access; Attack Complexity (Low) meaning no special setup is needed; Privileges Required (None) and User Interaction (None), both lowering the attack barrier significantly; and High impact on Integrity and Availability. The score appropriately reflects that while the attack surface is narrower than a remote vulnerability, the ease and impact of exploitation within that surface is substantial.

Frequently asked questions

Is this vulnerability remotely exploitable?

No. CVE-2026-11297 requires local access to the Android device and the ability to deliver a malicious file. It cannot be exploited over the network or through a webpage alone.

Do I need to update Chrome on my desktop or iOS devices?

This vulnerability is specific to Chrome on Android. Desktop (Windows, macOS, Linux) and iOS versions of Chrome are not affected. However, keep all browsers updated as a general security practice.

What is Reader Mode and why is it vulnerable?

Reader Mode in Chrome simplifies webpage layout by stripping out ads and formatting distractions. The vulnerability lies in how this mode validates files it processes, allowing an attacker to craft a malicious file that bypasses intended navigation controls. Users may not realize their navigation is being restricted or redirected.

If Chromium says this is 'Low' severity, why is the CVSS score 'HIGH'?

Chromium's internal severity rating and CVSS are different scoring frameworks. CVSS focuses on the technical exploitability and impact metrics, while Chromium may weigh other factors like prevalence in the wild or how well their sandboxing contains the issue. Trust the CVSS score for patch prioritization decisions.

This analysis is based on the vulnerability data published as of June 2026. Security advisories and patch releases may be updated; always verify current information directly with Google's official Chrome Security update page and your organization's vulnerability management tools. This explainer is intended for security professionals and does not constitute legal or compliance advice. Organizations must assess applicability to their specific environments and regulatory requirements independently. Source: NVD (public-domain), retrieved 2026-07-13. Analysis generated by SEC.co (claude-haiku-4-5).