CVE-2026-11025 · Insufficient policy enforcement in Navigation in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker to bypass content

01 · The Real Story

This is a side door inside the building, not a front door on the street

The flaw is a navigation-policy enforcement bypass in Chrome on Android. Based on the user-supplied description, it affects Chrome on Android before the June 2026 Chrome 149 fix train; on Android that shipped as 149.0.7827.59, which Google says carries the same security fixes as the corresponding desktop 149.0.7827.53/54 release. The practical impact is not native code execution; it is bypassing browser navigation restrictions through crafted web content.

Reality is softer than the scary phrasing. The strongest authoritative match I could verify on June 5, 2026 is NVD's CVE-2026-11287, which describes the same bug class in Navigation on Chrome for Android but adds the crucial precondition that the attacker already has a *compromised renderer process*; that turns this from an initial-access bug into an exploit-chain helper. For an enterprise patch queue, that is backlog-grade unless new exploitation evidence appears.

"Chain-only Chrome-on-Android nav bypass: real bug, but it needs prior compromise and has weak real-world urgency."

02 · The Attack Path

4 steps from start to impact.

STEP 01

Land the victim on attacker content

The attacker needs the target to browse to a crafted page in Chrome on Android. That is straightforward for phishing, malvertising, or a redirect chain, but it only gets the attacker into normal web content execution, not past Chrome's security boundaries.

Conditions required:

Target uses Chrome on Android below the fixed build
User opens attacker-controlled content

Where this breaks in practice:

Enterprise mobile fleets are often smaller than desktop fleets
URL filtering, Safe Browsing, and user behavior training cut down delivery success

Detection/coverage: MDM inventory can identify stale Chrome versions; web gateways may log delivery domains, but scanners do not directly detect page-level triggerability.

STEP 02

Arrive with a compromised renderer

The best corroborated official record for this bug class says the attacker must already control the renderer process. In practice that means a separate browser memory-corruption or logic bug has already fired, and this Navigation flaw becomes a follow-on primitive rather than a standalone compromise path.

Conditions required:

A separate renderer-compromise bug or equivalent exploit step succeeds first

Where this breaks in practice:

This is a major chain dependency
Modern Chrome exploit mitigations and site isolation make renderer compromise materially harder than simple web bugs
Most opportunistic attackers will not burn a full chain for a navigation-bypass helper

Detection/coverage: No mainstream vuln scanner can validate 'renderer already compromised'; EDR on Android is limited, so detection mostly comes from browser crash telemetry and managed-device threat defense products.

STEP 03

Bypass navigation restrictions

With the crafted HTML and the renderer foothold, the attacker abuses insufficient policy enforcement in Navigation to bypass intended restrictions. The likely payoff is origin/navigation abuse, redirection trust abuse, or enabling a wider exploit chain—not device takeover by itself.

Conditions required:

The vulnerable Navigation code path is reachable on Android
The victim remains in the malicious browsing session

Where this breaks in practice:

Impact is scoped to browser trust and navigation behavior, not direct OS execution
Many post-exploitation goals still need another primitive after this step

Detection/coverage: No reliable network signature. Browser-side telemetry and anomaly-focused mobile threat defense are better bets than perimeter IDS.

STEP 04

Monetize the bypass

The attacker would use the navigation bypass to support phishing deception, origin confusion, interstitial bypass, or another chained browser exploit. That can matter in targeted operations, but it is a weak stand-alone business risk compared with memory corruption or sandbox escape bugs.

Conditions required:

Attacker has a follow-on objective that benefits from broken navigation policy

Where this breaks in practice:

Blast radius is usually one browsing session on one device
No evidence this flaw alone produces persistence or lateral movement

Detection/coverage: Watch for suspicious deep links, abnormal redirect patterns, and repeated Chrome crash/restart sequences on managed Android devices.

03 · Intelligence Metadata

The supporting signals.

Record status	I could not verify `CVE-2026-11025` in primary sources on June 5, 2026. The closest authoritative match is CVE-2026-11287 with the same Navigation-on-Android bug class and an extra renderer-compromise prerequisite.
In-the-wild status	No credible active-exploitation evidence found in primary sources reviewed; not KEV-listed.
PoC availability	No reputable public PoC or weaponized repo found. The Chromium issue is still restricted, which is normal shortly after disclosure.
EPSS	User-supplied EPSS is 0.00016. That is effectively floor-level exploit prediction and is consistent with a chain-only browser logic flaw rather than a hot internet-wide target.
KEV status	Absent from CISA KEV as checked against the public catalog on 2026-06-05.
Severity metadata	There is no vendor-published CVSS baseline for the user-provided CVE. The matching NVD record for `CVE-2026-11287` shows CISA-ADP 6.5 / `CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N`, while the Chrome-provided textual severity is Low.
Affected versions	Chrome on Android before the Chrome 149 fixed train. User intel says before `149.0.7827.53`; Google's Android release post says Android shipped as `149.0.7827.59` while inheriting desktop security fixes.
Fixed version	For Android fleets, treat `149.0.7827.59` or later as patched. Desktop `149.0.7827.53/54` references are relevant only because Google states Android carries the same security fixes.
Exposure reality	This is a client-side browser issue, so Shodan/Censys/FOFA-style external attack-surface counts are basically not useful. Reachability depends on a user browsing malicious content on an affected Android device, not on exposed listening services.
Disclosure	Publicly disclosed 2026-06-04; Chrome 149 stable shipped 2026-06-02 according to Google's release notes.

04 · The Call

noisgate verdict.

Final Verdict

= UNCHANGED to LOW (3.4/10)

The decisive factor is the post-compromise prerequisite: the best authoritative description for this bug class requires the attacker to have already compromised the renderer process before this flaw matters. That sharply limits both the reachable population and the stand-alone blast radius, pushing it out of urgent patch territory for a 10,000-host enterprise program.

MEDIUM Severity assessment for the user-provided CVE identifier

HIGH Assessment that this bug class is materially constrained by exploit-chain dependencies

Why this verdict

Hard downgrade for attacker position: the best primary-source match says the attacker needs a *compromised renderer process* first. That implies post-initial-exploit activity inside Chrome, not a front-door bug.
Population is narrower than desktop Chrome issues: this is Android-only, client-side, and depends on users browsing attacker content. That is a much smaller and less controllable exposure set than an internet-facing service flaw.
Threat evidence is cold: no KEV listing, no credible campaign reporting, no public PoC, and EPSS 0.00016 all point to low near-term exploitation pressure.

Why not higher?

A higher rating would require either a stand-alone path to meaningful compromise or proof that this bug is already being chained in the wild. I found neither. The renderer-compromise prerequisite is the killer friction point; it turns the flaw into a helper primitive, not an entry primitive.

Why not lower?

I did not score this IGNORE because it still touches a browser-enforced security boundary on a widely deployed app. In targeted exploit chains, navigation-policy bypasses can improve phishing realism, origin confusion, or chain reliability, so the issue deserves patching—just not a fire drill.

05 · Compensating Control

What to do — in priority order.

Force Play auto-updates for Chrome — Use Android Enterprise / MDM policy to require automatic app updates for com.android.chrome. For a LOW verdict there is no SLA (treat as backlog hygiene), so fold this into routine mobile policy enforcement rather than emergency change control.
Alert on stale Chrome builds — Create a compliance rule for Android devices reporting Chrome below 149.0.7827.59. This gives you immediate inventory truth and lets you clean up stragglers during normal maintenance, which is the right cadence for a low-urgency client-side flaw.
Reduce alternate browser paths — Limit unmanaged browsers and sideloading on corporate Android devices so users stay on the centrally updated Chrome channel. That shrinks version drift and lowers the chance that stale builds linger in the fleet without visibility.
Harden mobile web delivery controls — Keep Safe Browsing, DNS filtering, and mobile threat defense enabled to reduce visits to attacker-controlled pages. These controls do not 'fix' the bug, but they add friction to Step 1 while you remediate in normal backlog order.

What doesn't work

A WAF does not help; this is a client-side browser logic flaw, not an attack against your web server.
Traditional perimeter IDS signatures are weak here because the trigger is crafted page behavior inside Chrome, not a stable network exploit pattern.
Patching desktop Chrome only misses the affected population; this issue is about Chrome on Android.

06 · Verification

Crowdsourced verification payload.

Run this from an auditor/admin workstation that has adb installed and can reach a managed Android device over USB or approved remote debugging. Invoke it as ANDROID_SERIAL=<device-serial> ./check_chrome_android.sh; it needs no root on the device, but it does need adb shell access and visibility into the com.android.chrome package metadata.

noisgate-verify.sh

BASHREAD-ONLYSAFE

#!/usr/bin/env bash
# check_chrome_android.sh
# Verify whether Chrome on an attached Android device is below the fixed version.
# Output: VULNERABLE / PATCHED / UNKNOWN
# Exit codes: 0=PATCHED, 1=VULNERABLE, 2=UNKNOWN

set -euo pipefail

PKG="com.android.chrome"
FIXED="149.0.7827.59"
ADB_BIN="${ADB_BIN:-adb}"

ver_lt() {
  local a="$1" b="$2"
  if [[ "$a" == "$b" ]]; then
    return 1
  fi
  [[ "$(printf '%s\n%s\n' "$a" "$b" | sort -V | head -n1)" == "$a" ]]
}

if ! command -v "$ADB_BIN" >/dev/null 2>&1; then
  echo "UNKNOWN: adb not found in PATH"
  exit 2
fi

if ! "$ADB_BIN" get-state >/dev/null 2>&1; then
  echo "UNKNOWN: no adb device available (set ANDROID_SERIAL if needed)"
  exit 2
fi

version="$($ADB_BIN shell dumpsys package "$PKG" 2>/dev/null | tr -d '\r' | awk -F= '/versionName=/{print $2; exit}')"

if [[ -z "${version:-}" ]]; then
  version="$($ADB_BIN shell cmd package list packages -f "$PKG" 2>/dev/null | tr -d '\r' | sed -n 's/.*com.android.chrome=//p' | head -n1 || true)"
fi

if [[ -z "${version:-}" ]]; then
  echo "UNKNOWN: could not read Chrome version for $PKG"
  exit 2
fi

if ver_lt "$version" "$FIXED"; then
  echo "VULNERABLE: $PKG version $version is below fixed $FIXED"
  exit 1
else
  echo "PATCHED: $PKG version $version is at or above fixed $FIXED"
  exit 0
fi

07 · Bottom Line

If you remember one thing.

TL;DR

Monday morning: document the CVE-ID mismatch, confirm whether your tooling mapped this finding from secondary feeds rather than Google's own record, and then let your Android fleet management team close it through normal browser-update hygiene. For a LOW verdict there is noisgate mitigation SLA: none and noisgate remediation SLA: none — treat as backlog hygiene, so do not preempt higher-value patch work; just ensure managed Android devices converge to Chrome 149.0.7827.59+ in the next routine mobile app update cycle and keep an eye out for any shift to KEV listing or exploitation evidence that would instantly change the priority.

Sources

Peer Review

What defenders are saying.

Submit a review attribution: handle + country only

0 flags selected · stored anonymously

Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.