CVE-2026-11035 · Inappropriate implementation in Custom Tabs in Google Chrome on Android prior to 149.0.7827.53 allowed a local attacker to perform privilege

01 · The Real Story

This is a bad lock on an interior door, not an open front gate

CVE-2026-11035 is an *inappropriate implementation* flaw in Chrome for Android's Custom Tabs path. Affected builds are Chrome on Android before 149.0.7827.53; the user-supplied advisory text says a local attacker with low privileges and user interaction can turn that flaw into a privilege escalation condition. In plain English: the attacker already needs code execution as an app on the device, then has to drive the victim through a Custom Tabs flow to get more capability than the Android/browser boundary should allow.

Google's HIGH 7.3 score is fair if you score the bug in a lab, where the end-state impact is severe. In the field, it is overstated for enterprise patch triage because every major prerequisite narrows reality: Android-only, local attacker, attacker app already present, user interaction required, and a Custom Tabs-specific execution path. That turns this into a *post-initial-access mobile abuse primitive*, not a remotely reachable mass-compromise event.

"This is a post-install Android app abuse path, not an enterprise-wide remote fire."

02 · The Attack Path

4 steps from start to impact.

STEP 01

Plant a malicious Android app

The attacker first needs code running locally on the device, typically as a sideloaded or trojanized Android app. That app starts from ordinary app privileges and cannot directly claim the higher trust or access associated with Chrome Custom Tabs without exploiting the flaw.

Conditions required:

Target is an Android device with Chrome installed and vulnerable
Attacker can get a malicious app installed
App has at least normal user-level execution on the device

Where this breaks in practice:

Managed Android fleets often restrict sideloading
Play Protect, MTD, and app reputation controls reduce success
This prerequisite already implies initial compromise of the handset

Detection/coverage: MDM, EMM, and mobile threat defense tools usually have better coverage for unapproved app installation than for the underlying browser flaw itself.

STEP 02

Invoke a vulnerable Custom Tabs flow

The malicious app must trigger the specific Chrome Custom Tabs code path that mishandles trust or privilege boundaries. The exploitability here depends on behavior inside the browser-app handoff, not a generic web page hit from the internet.

Conditions required:

Chrome is the Custom Tabs provider in use
The victim follows or permits the app's intended browser action
The vulnerable code path is reachable on that device/build

Where this breaks in practice:

Some apps use other browsers or in-app web views instead of Chrome Custom Tabs
Flow reliability can vary by OEM Android build and browser defaults
Enterprise-managed devices may enforce app defaults or browser policy

Detection/coverage: Traditional vuln scanners have weak visibility into runtime Custom Tabs usage. Asset inventory can usually identify Chrome version, but not whether a given app exercises the vulnerable path.

STEP 03

Abuse the implementation flaw to cross a trust boundary

Once in the vulnerable flow, the attacker attempts to gain capability they should not have had under normal app sandboxing or Custom Tabs security assumptions. The advisory's CVSS vector and description indicate a local privilege-escalation style outcome rather than remote code execution from the web alone.

Conditions required:

Exploit chain for the specific implementation bug is reliable enough
Victim performs the required interaction
Chrome build is still below 149.0.7827.53

Where this breaks in practice:

No public weaponized PoC was found during this review
User interaction is mandatory per the vendor CVSS vector
Exploit reliability against modern Android hardening is unclear from public data

Detection/coverage: Behavioral detection is more realistic than signature detection: look for suspicious app-to-browser launches, anomalous Custom Tabs use, and post-launch privilege abuse on the device.

STEP 04

Use elevated capability for data access or device abuse

If successful, the attacker can pivot from a low-privilege local app into higher-value browser-mediated access, which explains the high confidentiality, integrity, and availability impact in the original CVSS. But the blast radius stays constrained to the already-compromised handset and user context.

Conditions required:

Previous steps succeed on the same device
Valuable browser session state or protected functionality is present

Where this breaks in practice:

Impact is per-device, not fleet-wide from a single remote foothold
Enterprise data access may still be gated by conditional access, app attestation, or reauthentication

Detection/coverage: Conditional access telemetry, IdP session anomalies, and mobile EDR can catch downstream abuse better than they catch the browser bug itself.

03 · Intelligence Metadata

The supporting signals.

In-the-wild status	No public evidence found of active exploitation, and the CVE is not listed in CISA KEV as of this review.
Proof-of-concept availability	No public PoC or weaponized exploit repo was found in open searching. Low-confidence negative finding; absence of a public repo is not absence of private tradecraft.
EPSS	0.00016 from the user-supplied intel, which is effectively background-noise territory rather than an emergent exploitation signal.
KEV status	No from the user-supplied intel; no CISA KEV entry located during this review.
CVSS vector meaning	`CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H` means local attacker, already has app-level execution, needs user interaction, and the impact is severe only after those prerequisites are met.
Affected versions	Chrome on Android prior to 149.0.7827.53 per the supplied advisory text and secondary advisories.
Fixed version	149.0.7827.53 or later for Chrome on Android according to the supplied advisory text and secondary advisories.
Exposure profile	Internet-wide scanner data like Shodan/Censys/FOFA is not meaningful here because this is a client-side Android browser flaw, not an exposed network service. That is an inference from the product type and attack vector.
Disclosure date	2026-06-04 from the supplied intel.
Reporting / attribution	Public materials reviewed do not name a researcher for this specific CVE. Google/Chromium materials around Custom Tabs security show this area has received prior academic scrutiny, but not necessarily for this exact bug.

04 · The Call

noisgate verdict.

Final Verdict

↓ DOWNGRADED to MEDIUM (4.9/10)

The decisive factor is attacker position: this requires a local Android app foothold first, which makes it a post-initial-access privilege step rather than an initial compromise vector. The bug may be technically nasty on a single handset, but it does not create broad remote reach across a 10,000-device estate by itself.

HIGH Prerequisite friction from the CVSS vector: local + low privileges + user interaction

MEDIUM Assessment that enterprise impact is lower than vendor HIGH

LOW PoC and exploitation-publicity gap because public technical detail is sparse

Why this verdict

Down from 7.3 because attacker must already be on the device: AV:L/PR:L means this is not a remote entry point; it assumes the adversary has already landed a malicious app or equivalent local code execution.
Further down because it needs user interaction: UI:R means exploitation is not silent and fully automatable at internet scale.
Further down because the reachable population is narrower than Chrome overall: this is Chrome on Android and specifically a Custom Tabs path, not every desktop browser session or every generic web render path.
EPSS is near zero and there is no KEV signal: the available exploitation telemetry does not support urgent reprioritization upward.
Blast radius is per-device: even when successful, the likely impact is bounded to the already-compromised handset and user context, not a one-shot fleet event.

Why not higher?

This is not unauthenticated remote exploitation from the internet, and it does not give an attacker their first foothold. Every gate in the chain compounds downward pressure: local app presence, Android-only scope, vulnerable Custom Tabs path, and required user interaction. That is not CRITICAL or HIGH patch-train material for most enterprise queues.

Why not lower?

I am not pushing this to LOW because Chrome on Android is common, the impacted component sits on a sensitive app-to-browser trust boundary, and the declared CIA impact is all high once exploitation lands. On mobile fleets with broader app-install freedom, a browser-mediated privilege jump still matters enough to keep out of backlog-hygiene territory.

05 · Compensating Control

What to do — in priority order.

Restrict unapproved app installs — Use EMM/MDM policy, Play Protect enforcement, and enterprise app allowlisting to reduce the core prerequisite: a malicious local app. For a MEDIUM noisgate verdict there is no mitigation SLA — go straight to the 365-day remediation window, but this control is worth maintaining continuously because it removes the attacker's hardest dependency.
Inventory Chrome for Android versions — Confirm which managed Android devices are below 149.0.7827.53 and whether Chrome is the active browser/Custom Tabs provider. For a MEDIUM verdict there is no mitigation SLA — go straight to the 365-day remediation window, but version visibility prevents this from becoming a blind spot on mobile fleets.
Monitor suspicious app-to-browser launches — Use mobile threat defense, app telemetry, or EDR-style mobile controls to look for unusual Custom Tabs invocation patterns from low-trust apps. For MEDIUM, there is no mitigation SLA — go straight to the 365-day remediation window; this is a detection-and-containment control, not a substitute for updating.
Enforce conditional access for browser-backed enterprise apps — If exploitation aims to steal or misuse browser-mediated sessions, conditional access, device posture checks, and step-up auth can reduce the value of the gained privilege. For MEDIUM, there is no mitigation SLA — go straight to the 365-day remediation window, but apply this broadly because it cushions many mobile browser abuse paths.

What doesn't work

A WAF does not help; this is not an internet-facing server flaw you can shield at the edge.
Desktop browser patching alone does not help; the issue is Chrome on Android.
Network vulnerability scanning gives poor coverage; scanners may inventory app versions but cannot meaningfully test the runtime Custom Tabs trust-boundary bug.

06 · Verification

Crowdsourced verification payload.

Run this from an auditor workstation with adb installed, against a connected Android device or emulator that has USB debugging or network debugging enabled. Invoke it as ./check_chrome_android_cve_2026_11035.sh or ./check_chrome_android_cve_2026_11035.sh emulator-5554; no root is required, but adb shell dumpsys package com.android.chrome must be permitted.

noisgate-verify.sh

BASHREAD-ONLYSAFE

#!/usr/bin/env bash
# check_chrome_android_cve_2026_11035.sh
# Purpose: Determine whether Chrome on Android is vulnerable to CVE-2026-11035
# Logic: Chrome versions prior to 149.0.7827.53 are VULNERABLE
# Exit codes:
#   0 = PATCHED
#   1 = VULNERABLE
#   2 = UNKNOWN / could not determine

set -u

TARGET_VERSION="149.0.7827.53"
PKG="com.android.chrome"
ADB_BIN="${ADB_BIN:-adb}"
SERIAL="${1:-}"

adb_cmd() {
  if [ -n "$SERIAL" ]; then
    "$ADB_BIN" -s "$SERIAL" "$@"
  else
    "$ADB_BIN" "$@"
  fi
}

version_lt() {
  # returns 0 if $1 < $2
  [ "$1" = "$2" ] && return 1
  local first
  first=$(printf '%s\n%s\n' "$1" "$2" | sort -V | head -n1)
  [ "$first" = "$1" ]
}

get_version() {
  adb_cmd shell dumpsys package "$PKG" 2>/dev/null | sed -n 's/.*versionName=\([^[:space:]]*\).*/\1/p' | head -n1
}

if ! command -v "$ADB_BIN" >/dev/null 2>&1; then
  echo "UNKNOWN: adb not found in PATH"
  exit 2
fi

if ! adb_cmd get-state >/dev/null 2>&1; then
  echo "UNKNOWN: no reachable adb device"
  exit 2
fi

if ! adb_cmd shell pm path "$PKG" >/dev/null 2>&1; then
  echo "UNKNOWN: Chrome package $PKG not installed or inaccessible"
  exit 2
fi

VERSION=$(get_version)

if [ -z "$VERSION" ]; then
  echo "UNKNOWN: unable to read Chrome versionName"
  exit 2
fi

case "$VERSION" in
  *[!0-9.]* )
    echo "UNKNOWN: unexpected version format: $VERSION"
    exit 2
    ;;
esac

if version_lt "$VERSION" "$TARGET_VERSION"; then
  echo "VULNERABLE: Chrome version $VERSION is older than $TARGET_VERSION"
  exit 1
else
  echo "PATCHED: Chrome version $VERSION is $TARGET_VERSION or newer"
  exit 0
fi

07 · Bottom Line

If you remember one thing.

TL;DR

Monday morning, treat this as a mobile hygiene patch, not a breach siren: identify managed Android devices running Chrome below 149.0.7827.53, verify whether your app-control stack already blocks the malicious-app prerequisite, and roll the browser update through normal mobile operations. Because this is MEDIUM, there is noisgate mitigation SLA: no mitigation SLA — go straight to the 365-day remediation window; the noisgate remediation SLA is ≤ 365 days, though most teams should simply absorb it in the next routine Android/Chrome mobile update cycle rather than letting it linger all year.

Sources

Peer Review

What defenders are saying.

Submit a review attribution: handle + country only

0 flags selected · stored anonymously

Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.