← Back to Feed CACHED · 2026-05-17 09:42:19 · cache_key CVE-2025-29912
CVE-2026-11007 · CWE-20 · Disclosed 2026-06-04

Insufficient validation of untrusted input in WebView in Google Chrome on Android prior to 149

ASSESSED — NOISGATE V0.5
Vendor
Reassessed
Verdict:
01 · The Real Story

This is not the front door, it's the interior lock that fails after the burglar is already inside

CVE-2026-11007 is an input-validation flaw in WebView affecting Google Chrome on Android / Android System WebView before the June 2026 fixed builds. Public descriptions tie it to cross-origin data access via a crafted HTML page, but with a crucial catch: the attacker must already have access to the renderer process. In practical terms, that means this bug is not the initial browser break; it is a same-device, post-renderer-compromise boundary bypass that can expose data from other origins rendered inside the vulnerable WebView context.

Reality is lower than what the phrase *remote attacker* suggests. The meaningful prerequisite is renderer-process compromise first, which implies either a separate browser/WebView exploit or an already-compromised app/device path. That sharply narrows the reachable population and turns this into an exploit-chain amplifier, not a standalone fleet-wide emergency. Still, WebView is everywhere on Android and cross-origin data theft can expose tokens, session state, and embedded-app content, so this is not backlog junk either.

"ASSESSED AT MEDIUM: useful chain component, but it needs prior renderer compromise to matter"
02 · The Attack Path

4 steps from start to impact.

STEP 01

Deliver attacker-controlled web content

The attacker needs the target to load crafted HTML in Chrome on Android or an app embedding Android WebView. That can happen through browsing, deep links, or app-driven WebView content loads. By itself, this step does not trigger the impact described for this CVE.
Conditions required:
  • Victim uses Chrome on Android or an app relying on Android System WebView
  • Attacker can cause victim to render attacker-controlled web content
Where this breaks in practice:
  • User interaction or app workflow is usually required
  • Many enterprise Android apps restrict arbitrary navigation or external content loading
Detection/coverage: MDM and mobile threat defense can inventory vulnerable app versions, but network scanners will not see this exposure because it is a client-side mobile component.
STEP 02

Gain renderer-process access

Public descriptions state the attacker must already have access to the renderer process. In practice this means chaining from a separate renderer compromise, likely another browser/WebView memory corruption or logic bug. This is the decisive friction point: without that first-stage foothold, CVE-2026-11007 does nothing for the attacker.
Conditions required:
  • Successful compromise of the Chrome/WebView renderer process
  • Exploit chain reliability sufficient to keep the renderer under attacker control
Where this breaks in practice:
  • Requires a separate vulnerability or equivalent foothold
  • Chrome/WebView sandboxing and modern exploit mitigations raise chain complexity
  • Most opportunistic actors will use cleaner one-shot bugs when they have them
Detection/coverage: There is no standalone scanner for 'renderer compromised'; visibility comes from crash telemetry, exploit detection, browser anomaly analytics, and MTD/EDR-style behavioral signals where available.
STEP 03

Abuse WebView validation weakness

Once inside the renderer, the attacker uses crafted HTML to exploit the insufficient validation bug in WebView. The described outcome is cross-origin data access, meaning data that should remain isolated by origin policy may become readable across origin boundaries within the affected rendering context.
Conditions required:
  • Vulnerable WebView/Chrome build is installed
  • Target content of interest is loaded in the vulnerable context
Where this breaks in practice:
  • Impact depends on sensitive target origins actually being present in that WebView usage pattern
  • Many enterprise apps use native auth flows or app-level token protections that reduce what browser-readable data exists
Detection/coverage: Static version checks are easy; active misuse is hard to distinguish from normal page behavior without deep app/browser telemetry.
STEP 04

Harvest tokens or embedded-app data

If the target app or browser session has valuable authenticated content loaded, the attacker may read cross-origin data such as session artifacts, page content, or web tokens exposed to the rendering context. The likely operational impact is session theft or data exposure within the victim's app/browser context, not broad device takeover.
Conditions required:
  • Sensitive sessions or data are present in the compromised WebView context
  • Attacker can exfiltrate the retrieved data
Where this breaks in practice:
  • Blast radius is usually per-user, per-app, per-session
  • No direct OS-level privilege escalation or sandbox escape is described
Detection/coverage: Look for anomalous WebView/Chrome traffic patterns and app session abuse after mobile browser compromise; signature-based detection for this specific CVE is unlikely.
03 · Intelligence Metadata

The supporting signals.

In-the-wild statusNo public evidence of active exploitation found in authoritative sources reviewed; not present in CISA KEV.
PoC availabilityNo public PoC or exploit repo located for this CVE as of the reviewed sources. That fits the bug's chain-dependent nature and restricted Chromium issue details.
EPSS0.00043 from the user-supplied intel, indicating extremely low near-term exploitation probability.
KEV statusNot KEV-listed. CISA's KEV catalog does not currently list CVE-2026-11007.
Vendor severity signalGoogle's Chrome release notes label CVE-2026-11007 as Medium severity at the Chromium bug-class level, but no vendor CVSS score/vector was published.
Affected versionsChrome/Android WebView builds before 149.0.7827.53 are described as affected in public CVE summaries; Chrome for Android's June 2, 2026 stable rollout was 149.0.7827.59 and states Android gets the same security fixes as the corresponding desktop release.
Fixed versionsTreat Android System WebView 149.0.7827.53+ and Chrome for Android 149.0.7827.59+ as fixed baselines for fleet validation. Enterprises should verify OEM-managed devices do not lag Play-distributed component updates.
Technical impactPublic descriptions point to cross-origin data access in WebView after attacker access to the renderer process. That is a privacy / session-boundary failure, not a standalone RCE or sandbox escape.
Exposure populationWebView and Chrome on Android are massively deployed; both Play listings show 10B+ downloads. But this is not internet-scannable infrastructure like a VPN or edge appliance, so attacker reach is governed by user/app interaction and exploit chaining, not exposed listening services.
Disclosure / reportingDisclosed 2026-06-04 per the user intel; Chrome 149 stable was published 2026-06-02 and the Chrome release notes say the underlying bug was reported by Google on 2026-03-24.
04 · The Call

noisgate verdict.

Final Verdict
= UNCHANGED to MEDIUM (5.0/10)

The single biggest severity suppressor is the stated need for renderer-process access first. That makes this a post-compromise browser-chain component with limited standalone reach, even though WebView's install base is enormous and the data exposure can still be meaningful at the user/session level.

HIGH Affected product/version and absence of vendor CVSS baseline
MEDIUM Operational impact estimation from limited public technical detail

Why this verdict

  • Downward adjustment: requires renderer compromise first — this is not unauthenticated remote code execution from a clean start; it presumes a prior exploit stage inside Chrome/WebView.
  • Downward adjustment: client-side reach, not edge exposure — attackers cannot sweep the internet for this like they can with VPNs, gateways, or web apps.
  • Upward adjustment: huge deployment footprint — Android WebView and Chrome are everywhere, so vulnerable versions will exist in large numbers across mobile fleets.
  • Upward adjustment: cross-origin data access matters — if chained successfully, the bug can expose authenticated content and session material inside embedded enterprise app flows.
  • Downward adjustment: no KEV, no public exploitation, tiny EPSS — current threat intelligence does not show this bug being weaponized at scale.

Why not higher?

Because the attacker does not get to start here. The prerequisite of renderer-process access is a compounding friction point that implies another exploit, another failure, or an already-compromised context before CVE-2026-11007 becomes useful. Also, the public impact described is data access within the rendering boundary, not direct sandbox escape, OS compromise, or broad wormable behavior.

Why not lower?

Because this is still a security boundary failure in WebView, not a harmless crash. Cross-origin data exposure inside mobile app/browser sessions can translate into real token theft and sensitive content access when paired with the right app workflow. On large Android estates, chainable browser/WebView flaws deserve disciplined patching even when they are not front-door bugs.

05 · Compensating Control

What to do — in priority order.

  1. Force-update Chrome and WebView — Use your EMM/MDM and managed Google Play controls to push Chrome for Android 149.0.7827.59+ and Android System WebView 149.0.7827.53+ across enrolled devices. For a MEDIUM verdict there is no noisgate mitigation SLA; this is the primary remediation path and should be completed inside the 365-day remediation window, though mobile-browser components should realistically move much faster.
  2. Block unmanaged Android versions from sensitive apps — Enforce conditional access or app protection policy so devices missing current Chrome/WebView builds cannot reach high-value SSO, mail, HR, and finance applications. This reduces exposure while updates propagate; for MEDIUM, there is no mitigation SLA — go straight to the 365-day remediation window unless your internal mobile hardening standard is stricter.
  3. Constrain risky WebView content flows — For internally developed Android apps, reduce arbitrary external content loading in WebView, prefer verified domains, and avoid keeping high-value sessions inside embedded web flows longer than needed. This does not remove the bug, but it cuts the amount of valuable cross-origin data present if exploitation occurs during the remediation window.
  4. Prioritize devices with sensitive mobile SSO — Patch executive, privileged-admin, BYOD-with-corporate-access, and kiosk/shared-device populations first because those devices are more likely to carry reusable tokens and authenticated sessions. Even for a MEDIUM issue, threat reduction is better when you start with the highest-value identities rather than trying to boil the ocean.
What doesn't work
  • A WAF does not help; this is a client-side browser/WebView issue, not a server-side request filtering problem.
  • Perimeter network scanning does not help you find exposure; Chrome/WebView are mobile client components, not listening services.
  • MFA alone does not neutralize session or token theft after browser compromise; it may reduce account takeover paths, but it does not fix cross-origin data exposure already present on the device.
  • AV signatures for a specific CVE are unlikely to be reliable here; the prerequisite is exploit-chain behavior inside the browser renderer, not a stable malware family artifact.
06 · Verification

Crowdsourced verification payload.

Run this from an auditor workstation with adb installed against a connected Android device, or adapt the package/version logic into your EMM compliance checks. Invoke it as ./check_cve_2026_11007.sh <device-serial> or omit the serial for a single attached device; no root is required, but the device must allow adb shell access.

noisgate-verify.sh
BASHREAD-ONLYSAFE
#!/usr/bin/env bash
# check_cve_2026_11007.sh
# Validate Chrome for Android / Android System WebView versions for CVE-2026-11007
# Exit codes:
#   0 = PATCHED
#   1 = VULNERABLE
#   2 = UNKNOWN / error

set -u

SERIAL_ARG="${1:-}"
ADB=(adb)
if [[ -n "$SERIAL_ARG" ]]; then
  ADB+=( -s "$SERIAL_ARG" )
fi

FIX_CHROME="149.0.7827.59"
FIX_WEBVIEW="149.0.7827.53"

log() { echo "[+] $*"; }
err() { echo "[!] $*" >&2; }

have_adb() {
  command -v adb >/dev/null 2>&1
}

version_lt() {
  # returns 0 if $1 < $2
  local a b IFS=.
  read -r -a a <<< "$1"
  read -r -a b <<< "$2"
  local len=${#a[@]}
  (( ${#b[@]} > len )) && len=${#b[@]}
  for ((i=0; i<len; i++)); do
    local ai=${a[i]:-0}
    local bi=${b[i]:-0}
    if ((10#$ai < 10#$bi)); then
      return 0
    elif ((10#$ai > 10#$bi)); then
      return 1
    fi
  done
  return 1
}

pkg_version() {
  local pkg="$1"
  "${ADB[@]}" shell dumpsys package "$pkg" 2>/dev/null | tr -d '\r' | awk -F= '/versionName=/{print $2; exit}'
}

pkg_installed() {
  local pkg="$1"
  "${ADB[@]}" shell pm path "$pkg" 2>/dev/null | grep -q '^package:'
}

if ! have_adb; then
  err "adb not found in PATH"
  echo "UNKNOWN"
  exit 2
fi

if ! "${ADB[@]}" get-state >/dev/null 2>&1; then
  err "no reachable adb device"
  echo "UNKNOWN"
  exit 2
fi

status="PATCHED"
vuln_reasons=()
seen_any=0

# Chrome for Android
if pkg_installed com.android.chrome; then
  seen_any=1
  chrome_ver="$(pkg_version com.android.chrome)"
  if [[ -z "$chrome_ver" ]]; then
    err "could not read Chrome version"
    echo "UNKNOWN"
    exit 2
  fi
  log "Chrome version: $chrome_ver"
  if version_lt "$chrome_ver" "$FIX_CHROME"; then
    status="VULNERABLE"
    vuln_reasons+=("Chrome $chrome_ver < $FIX_CHROME")
  fi
fi

# Android System WebView (Google package)
if pkg_installed com.google.android.webview; then
  seen_any=1
  webview_ver="$(pkg_version com.google.android.webview)"
  if [[ -z "$webview_ver" ]]; then
    err "could not read Google WebView version"
    echo "UNKNOWN"
    exit 2
  fi
  log "Google WebView version: $webview_ver"
  if version_lt "$webview_ver" "$FIX_WEBVIEW"; then
    status="VULNERABLE"
    vuln_reasons+=("Google WebView $webview_ver < $FIX_WEBVIEW")
  fi
fi

# AOSP WebView fallback package
if pkg_installed com.android.webview; then
  seen_any=1
  aosp_webview_ver="$(pkg_version com.android.webview)"
  if [[ -z "$aosp_webview_ver" ]]; then
    err "could not read AOSP WebView version"
    echo "UNKNOWN"
    exit 2
  fi
  log "AOSP WebView version: $aosp_webview_ver"
  if version_lt "$aosp_webview_ver" "$FIX_WEBVIEW"; then
    status="VULNERABLE"
    vuln_reasons+=("AOSP WebView $aosp_webview_ver < $FIX_WEBVIEW")
  fi
fi

if [[ "$seen_any" -eq 0 ]]; then
  err "neither Chrome nor WebView packages were found"
  echo "UNKNOWN"
  exit 2
fi

if [[ "$status" == "VULNERABLE" ]]; then
  echo "VULNERABLE"
  printf '%s\n' "Reasons: ${vuln_reasons[*]}"
  exit 1
fi

echo "PATCHED"
exit 0
07 · Bottom Line

If you remember one thing.

TL;DR
Monday morning: pull a mobile inventory for Chrome on Android and Android System WebView, identify anything below 149.0.7827.59 for Chrome or 149.0.7827.53 for WebView, and remediate through managed Google Play / EMM first for high-value user groups. Because this is ASSESSED AT MEDIUM, there is no noisgate mitigation SLA — go straight to the 365-day remediation window; that means no separate temporary-control deadline is required, but you should still use conditional access and app policy to contain stragglers while you close them inside the noisgate remediation SLA of ≤365 days.

Sources

  1. Chrome Releases: Chrome for Android Update (June 2, 2026)
  2. Chrome Releases: Stable Channel Update for Desktop (June 2, 2026)
  3. Chromium Chrome 149 release notes entry showing CVE-2026-11007 as Medium
  4. Chromium Security
  5. Chromium Severity Guidelines for Security Issues
  6. CISA Known Exploited Vulnerabilities Catalog
  7. Google Play: Android System WebView
  8. Google Play: Google Chrome
Peer Review

What defenders are saying.

Submit a review attribution: handle + country only
0 flags selected · stored anonymously
Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.