CVE-2026-11309: Chrome History Policy Enforcement Flaw Enables UI Spoofing
Google Chrome versions before 149.0.7827.53 contain a flaw in how the browser enforces policies for the History feature. An attacker can craft a deceptive webpage that tricks users into believing they're interacting with legitimate browser UI elements or content. While the vulnerability requires user interaction and doesn't directly expose sensitive data or crash the browser, the spoofing capability could be weaponized in social engineering campaigns to steal credentials or manipulate user behavior.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 4.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
- Weaknesses (CWE)
- CWE-346
- Affected products
- 4 configuration(s)
- Published / Modified
- 2026-06-05 / 2026-06-17
NVD description (verbatim)
Insufficient policy enforcement in History in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-11309 stems from insufficient policy enforcement in Chrome's History module. The vulnerability maps to CWE-346 (Origin Validation Error), indicating a breakdown in the browser's ability to properly verify and enforce origin boundaries when rendering history-related UI. An attacker serving a crafted HTML page can exploit lenient policy checks to overlay or mimic legitimate browser interface elements, deceiving users about the source or authenticity of displayed content. The attack surface is remote and requires no special privileges, but does depend on user interaction to be effective.
Business impact
From a business continuity perspective, this vulnerability poses a moderate risk. It enables social engineering vectors—for example, a malicious site could spoof login prompts or warning dialogs to harvest credentials. Organizations with users on unpatched Chrome instances are at elevated risk of credential compromise and downstream account takeover. The impact is amplified in environments where employees access sensitive applications via Chrome on shared or less-controlled endpoints. However, the lack of direct data exfiltration or system compromise means this is not a critical business continuity threat on its own; it becomes dangerous when chained with other tactics.
Affected systems
The vulnerability affects Google Chrome installations on multiple platforms: Microsoft Windows, Apple macOS, and Linux systems running the Linux kernel. Any user operating Chrome version 149.0.7827.53 or earlier is vulnerable. Organizations should inventory Chrome deployments across desktop and laptop assets to identify exposure. The cross-platform nature means vulnerability spans both enterprise and personal device ecosystems.
Exploitability
Exploitability is moderate. The attack requires a user to visit a malicious or compromised website, then interact with spoofed UI elements—clicking a fake login button, for instance. No advanced exploitation techniques, authentication bypass, or zero-day trigger chains are needed. However, the attack does not execute automatically; it depends on social engineering success. The CVSS score of 4.3 (MEDIUM) reflects this user-interaction requirement and the integrity-only impact (the attacker cannot confidentially exfiltrate or destroy data directly via this flaw). The attack is accessible to remote actors and does not require special network access or elevated local privileges.
Remediation
Update Google Chrome to version 149.0.7827.53 or later. Chrome's auto-update feature will deliver the patch automatically on supported platforms; however, verification that updates have completed is recommended in corporate environments. Users can manually check their version by navigating to chrome://settings/help. For macOS users, ensure system updates are applied, as Chrome updates are often bundled with OS patches. Linux users should update Chrome packages through their distribution's package manager. No workarounds exist for this policy enforcement flaw; patching is the only reliable fix.
Patch guidance
Verify and enforce Chrome version 149.0.7827.53 or later across your organization. If you manage Chrome through enterprise policies (via Chrome Enterprise or Chromebook management), deploy the update through your management console. On Windows, use Group Policy to enforce automatic updates if not already enabled. For macOS deployments, confirm that Chromium auto-update is not disabled via managed preferences. Monitor Chrome version compliance for 30 days post-patch using your endpoint management tools to identify straggler systems. Prioritize patching for systems used to access high-value applications (email, financial, HR systems) and by employees in high-risk roles.
Detection guidance
Detection of active exploitation is challenging, as the attack manifests as a deceptive webpage viewed in a normal browsing session. Monitor for anomalous user behavior that might indicate credential harvesting success (e.g., spike in failed login attempts from unexpected locations shortly after spike in unique user agents claiming to be patched Chrome versions). Endpoint detection and response (EDR) tools may identify suspicious process execution following a user's Chrome session, particularly if malware is downloaded post-credential theft. Network-level detection is limited; SIEM correlation of user login failures, VPN access anomalies, or account lockouts can provide indirect signals. Consider deploying browser isolation technology in high-risk environments to prevent spoofing from having real-world impact.
Why prioritize this
This vulnerability warrants standard-priority patching within 30 days. While the CVSS score is moderate (4.3) and Chromium rates it as Low severity, the attack vector (remote, no privileges required) and potential for credential harvesting in social engineering campaigns elevate its practical risk in an enterprise context. It is not a zero-day or weaponized threat (not on the KEV catalog), so there is no immediate emergency response trigger. However, the cross-platform reach and prevalence of Chrome in enterprise environments mean that delaying patch deployment creates unnecessary exposure. Coordinate patching with your change management process, targeting completion before the end of the calendar quarter.
Risk score, explained
The CVSS 4.3 MEDIUM score reflects: (1) remote attack vector—no network proximity required; (2) low attack complexity—a simple crafted HTML page suffices; (3) user interaction required—the attacker must deceive a user into interacting with spoofed elements; (4) no privilege requirements; (5) integrity impact only—the user's trust and actions can be compromised, but no confidential data is directly exposed or system availability impacted. The severity does not account for social engineering or downstream compromise, which security teams must layer into their risk models manually. The score aligns with Chromium's internal Low severity designation, suggesting this was not a critical flaw in the browser's core security model, but rather a policy enforcement gap in a specific feature.
Frequently asked questions
Can this vulnerability steal my passwords or data?
Not directly. The vulnerability enables UI spoofing—an attacker can make a webpage look like a legitimate login screen or browser warning. The attacker must trick you into entering credentials into the fake form. However, if you do enter credentials, a malicious site can capture them. The vulnerability itself does not bypass Chrome's password manager, encryption, or site isolation; it exploits user perception.
How can I check if my Chrome is patched?
Go to chrome://settings/help in your address bar. Chrome will show your current version and automatically check for updates. If you see version 149.0.7827.53 or higher, you are patched. If an update is available, click the restart button to apply it. On macOS, also ensure your operating system is up to date, as Chrome updates may be bundled with OS patches.
Is this vulnerability actively being exploited?
There is no evidence that this vulnerability has been added to the CISA Known Exploited Vulnerabilities (KEV) catalog or that it is the subject of widespread active exploitation in the wild. This does not mean exploitation is impossible—it is a known flaw that attackers could use in targeted social engineering campaigns. Patching remains the prudent course of action.
Do I need to worry about this if I use a Chromebook?
Yes, Chromebooks run Chrome OS, which relies on the Chromium browser engine. However, Chromebooks receive automatic security updates that are typically pushed and installed more frequently than Windows or macOS Chrome instances. Verify your Chromebook's Chrome version is up to date by checking Settings > About > Chrome OS. If an update is pending, the system will prompt you to restart.
This analysis is provided for informational purposes by SEC.co and reflects publicly available information as of the published date. The vulnerability details, CVSS score, and patch version numbers are sourced from official CVE, NVD, and vendor disclosures. Security teams should verify patch applicability and test updates in their own environments before enterprise deployment. No portion of this content constitutes legal advice, and organizations should consult their security and legal teams regarding compliance obligations. Exploitation scenarios and risk assessments are illustrative; actual impact depends on your organization's specific Chrome deployment, user populations, and security controls. This page does not provide exploit code or weaponization guidance. Source: NVD (public-domain), retrieved 2026-07-13. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2026-11020MEDIUMChrome Extension XML Cross-Origin Data Leak – Patch to 149.0.7827.53
- CVE-2026-11032MEDIUMChrome Password Manager Cross-Origin Data Leak
- CVE-2026-11036MEDIUMChrome Same-Origin Policy Bypass via DOM Implementation Flaw
- CVE-2026-11048MEDIUMChrome Extension Same-Origin Policy Bypass (Medium, 6.5)
- CVE-2026-11081MEDIUMChrome Canvas Same-Origin Policy Bypass
- CVE-2026-11083MEDIUMChrome Password Manager Cross-Origin Data Leak Vulnerability
- CVE-2026-11084MEDIUMChrome Password Manager Cross-Origin Data Leak (v149.0.7827.53)
- CVE-2026-11132MEDIUMChrome Same-Origin Policy Bypass in Paint Component