← Back to Feed CACHED · 2026-05-17 09:42:19 · cache_key CVE-2025-29912
CVE-2026-11097 · CWE-474 · Disclosed 2026-06-04

Inappropriate implementation in WebView in Google Chrome on Android prior to 149

ASSESSED — NOISGATE V0.5
Vendor
Reassessed
Verdict:
01 · The Real Story

This is a peephole in a moving car, not a missing wall in the data center

CVE-2026-11097 is a WebView cross-origin data leak in Google Chrome on Android affecting builds prior to 149.0.7827.53. The bug class is confidentiality-only: a remote attacker can use a crafted HTML page to read data that should stay isolated by the browser's origin boundaries, but only inside the vulnerable Android browsing/WebView context. There is no code execution, no sandbox escape, and no direct server-side foothold here.

Google's MEDIUM 6.5 is technically fair in a lab, but it overstates enterprise urgency. The real-world chain needs an Android user to load attacker content in Chrome or an app-backed WebView, then have valuable cross-origin data present in that same context; that sharply narrows population, blast radius, and operational payoff compared with remotely exploitable server or desktop-browser RCE bugs.

"Real bug, but this is a narrow client-side data leak with low enterprise reach and weak exploitation signals"
02 · The Attack Path

4 steps from start to impact.

STEP 01

Land malicious web content in a vulnerable Android rendering surface

The attacker hosts a crafted HTML page and gets the victim to open it in Chrome on Android or an app using Android System WebView. Weaponization is straightforward browser content, not a named public exploit kit: think phishing link, ad traffic, or deep-linked in-app page.
Conditions required:
  • Target is on Android with Chrome/WebView below 149.0.7827.53
  • User opens attacker-controlled content
  • The relevant app path actually uses the vulnerable WebView/Chrome component
Where this breaks in practice:
  • Requires *user interaction* (UI:R), so no wormable or scan-and-pop path
  • Many managed apps do not expose arbitrary external content inside privileged WebViews
  • Auto-update through Play reduces vulnerable dwell time on well-managed fleets
Detection/coverage: Traditional network scanners will miss this. Coverage comes from mobile inventory/MDM package-version telemetry, Play compliance, and browser/app crash or URL-click telemetry rather than perimeter scanning.
STEP 02

Trigger the cross-origin read primitive

Once rendered, the crafted page abuses the WebView implementation flaw to read cross-origin data that should be isolated by browser policy. There is no evidence of public weaponized tooling; the exploit appears to be custom HTML/JavaScript content coupled to the vulnerable code path.
Conditions required:
  • Victim session holds sensitive cross-origin state or content worth stealing
  • The vulnerable path is reachable from that page in the target app/browser context
Where this breaks in practice:
  • This is *confidentiality-only*; no direct integrity or availability win
  • Modern site hardening like HttpOnly, strict cookie policy, origin partitioning, and app design can reduce what is actually exposed
  • Many enterprise apps avoid embedding sensitive workflows in generic WebViews
Detection/coverage: EDR is largely blind on mobile browser logic bugs. Detection is mostly indirect: anomalous SSO/session use after device browsing activity, app telemetry, or vendor/browser security logging where available.
STEP 03

Exfiltrate leaked data off-device

Any readable cross-origin content or token-adjacent data then has to be shipped back to attacker infrastructure over normal web traffic. The payload is usually small and blends into ordinary HTTPS egress, which makes precision detection difficult.
Conditions required:
  • Leaked material is script-readable and valuable
  • Attacker controls an exfil endpoint reachable from the device
Where this breaks in practice:
  • What the attacker gets may be partial page data rather than durable credentials
  • Token binding, short session lifetimes, and MFA can cut post-theft value
Detection/coverage: Mobile threat defense, DNS filtering, Safe Browsing, and secure web gateways can catch known bad destinations, but they do not fix the underlying browser isolation flaw.
STEP 04

Monetize the stolen session data

The attacker still needs the leaked data to translate into account access, business data theft, or follow-on phishing. In enterprise reality, this often means targeting SSO or internal web apps viewed on managed Android devices.
Conditions required:
  • The victim used sensitive enterprise web apps in the same vulnerable context
  • Stolen material is sufficient to replay or meaningfully disclose data
Where this breaks in practice:
  • Blast radius is usually one user session, not fleet-wide compromise
  • Conditional access, device binding, and session revalidation reduce reuse
Detection/coverage: Identity telemetry is your best backstop: impossible travel, new device/session anomalies, token replay signals, and abnormal SaaS access patterns.
03 · Intelligence Metadata

The supporting signals.

In-the-wild statusNo confirmed active exploitation found in vendor material reviewed, and not listed in CISA KEV.
Proof-of-concept availabilityNo public PoC repo or named researcher exploit was found in reviewed sources. Chromium issue tracking appears restricted, which is normal for fresh browser bugs.
EPSS0.00032 from user-provided intel; that is very low. Exact percentile was not verified from a primary EPSS snapshot during this review.
KEV statusNot KEV-listed as of this assessment. No KEV added date applies.
CVSS vectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N — remote and easy to trigger, but user interaction is mandatory and impact is confidentiality-only.
Affected versionsGoogle Chrome on Android / Android WebView prior to 149.0.7827.53.
Fixed versionsUpgrade to 149.0.7827.53 or later. For Android this is typically delivered through Google Play package updates rather than distro-style backports.
Scanning / exposure dataShodan/Censys/FOFA-style internet census is not meaningful here because Android WebView is a client-side rendering component, not an internet-exposed service.
Disclosure date2026-06-04.
Reporter / discovererNot publicly attributable from the sources reviewed. Chrome commonly withholds detailed bug metadata until patch adoption improves.
04 · The Call

noisgate verdict.

Final Verdict
DOWNGRADED to LOW (3.9/10)

The decisive factor is reachability friction: this requires an Android user to browse attacker-controlled content in a vulnerable Chrome/WebView context, and the outcome is a scoped data leak rather than code execution. That makes it a one-user, one-session-style client issue, not an enterprise-wide intrusion accelerator.

HIGH Downgrade from vendor `MEDIUM` to `LOW` based on user-interaction and client-side-only attack surface
MEDIUM Exact exploit details, because the Chromium bug record is not publicly open

Why this verdict

  • Downgrade from 6.5 for attacker position: the bug is *unauthenticated remote* on paper, but it still requires the victim to open malicious content on Android. That user-action prerequisite is real friction at fleet scale.
  • Downgrade for exposure population: this is not an internet-facing server flaw. It only matters on Android devices running vulnerable Chrome/WebView, and only where users hit the vulnerable content path.
  • Downgrade for blast radius: impact is confidentiality-only and usually limited to the victim's in-browser or in-app session data, not device takeover, tenant takeover, or domain-wide privilege gain.
  • Downgrade for threat signal weakness: no KEV listing, no verified public campaigns, and EPSS 0.00032 all point to low near-term exploitation pressure.
  • Keep above IGNORE: cross-origin leaks can still expose authenticated business data or session-adjacent secrets if your Android users access SSO-backed SaaS or internal apps through WebView.

Why not higher?

There is no code execution, no sandbox escape, and no evidence of active exploitation. More importantly, requiring Android client interaction means this cannot be mass-exploited the way perimeter or zero-click browser bugs can.

Why not lower?

This is still a real browser isolation failure, not a theoretical lint finding. If a managed Android user opens malicious content while authenticated to sensitive web apps, the attacker may get meaningful confidential data, so writing it off completely would be sloppy.

05 · Compensating Control

What to do — in priority order.

  1. Force-update Chrome and Android System WebView — Use MDM or enterprise Play policy to push 149.0.7827.53 or later across managed Android devices. For a LOW verdict there is no SLA; treat this as backlog hygiene and complete it in the next routine mobile update wave.
  2. Restrict untrusted content in embedded WebViews — Where you control Android apps, stop opening arbitrary external URLs inside privileged WebViews and prefer hardened browser flows or Custom Tabs for identity-sensitive journeys. With LOW, fold this into normal app-hardening work rather than emergency change.
  3. Monitor Android version drift in MDM — Build a compliance view for com.android.chrome and com.google.android.webview versions so stragglers are visible. For LOW, handle drift during normal compliance cleanup and exception review.
  4. Harden session abuse detection — Use IdP and SaaS telemetry to flag token replay, unusual mobile-origin sessions, and post-click account anomalies. This does not remove the bug, but it shortens time-to-detect if leaked data is actually monetized.
What doesn't work
  • A WAF does not meaningfully help; the vulnerable logic sits in the client rendering engine, not your server request parser.
  • Perimeter vulnerability scanners will not find or prove this; Android WebView is a client component and typically invisible to network-based scanning.
  • Traditional desktop EDR assumptions do not translate well here; mobile browser isolation failures often leave little endpoint telemetry.
06 · Verification

Crowdsourced verification payload.

Run this on an auditor workstation with adb installed against a connected Android device or emulator with USB debugging enabled: bash check_webview_cve_2026_11097.sh <serial>. It needs no root, but it does need permission to query package metadata over adb shell.

noisgate-verify.sh
BASHREAD-ONLYSAFE
#!/usr/bin/env bash
# check_webview_cve_2026_11097.sh
# Checks Chrome/WebView package versions on an Android device for CVE-2026-11097
# Usage: bash check_webview_cve_2026_11097.sh <device-serial>
# Exit codes: 0=PATCHED, 1=VULNERABLE, 2=UNKNOWN

set -u

FIXED="149.0.7827.53"
SERIAL="${1:-}"

if ! command -v adb >/dev/null 2>&1; then
  echo "UNKNOWN - adb not found in PATH"
  exit 2
fi

ADB=(adb)
if [ -n "$SERIAL" ]; then
  ADB+=( -s "$SERIAL" )
fi

if ! "${ADB[@]}" get-state >/dev/null 2>&1; then
  echo "UNKNOWN - no reachable adb device${SERIAL:+ with serial $SERIAL}"
  exit 2
fi

get_ver() {
  local pkg="$1"
  "${ADB[@]}" shell dumpsys package "$pkg" 2>/dev/null | tr -d '\r' | awk -F= '/versionName=/{print $2; exit}'
}

ver_ge() {
  # returns 0 if $1 >= $2
  [ "$1" = "$2" ] && return 0
  local first
  first=$(printf '%s\n%s\n' "$1" "$2" | sort -V | head -n1)
  [ "$first" = "$2" ]
}

WEBVIEW_PKG="com.google.android.webview"
CHROME_PKG="com.android.chrome"

WEBVIEW_VER=$(get_ver "$WEBVIEW_PKG")
CHROME_VER=$(get_ver "$CHROME_PKG")

if [ -z "$WEBVIEW_VER" ] && [ -z "$CHROME_VER" ]; then
  echo "UNKNOWN - neither $WEBVIEW_PKG nor $CHROME_PKG version could be read"
  exit 2
fi

STATUS="PATCHED"
DETAILS=()

if [ -n "$WEBVIEW_VER" ]; then
  if ver_ge "$WEBVIEW_VER" "$FIXED"; then
    DETAILS+=("$WEBVIEW_PKG=$WEBVIEW_VER (patched)")
  else
    STATUS="VULNERABLE"
    DETAILS+=("$WEBVIEW_PKG=$WEBVIEW_VER (< $FIXED)")
  fi
else
  DETAILS+=("$WEBVIEW_PKG=not_present_or_not_reported")
fi

if [ -n "$CHROME_VER" ]; then
  if ver_ge "$CHROME_VER" "$FIXED"; then
    DETAILS+=("$CHROME_PKG=$CHROME_VER (patched)")
  else
    STATUS="VULNERABLE"
    DETAILS+=("$CHROME_PKG=$CHROME_VER (< $FIXED)")
  fi
else
  DETAILS+=("$CHROME_PKG=not_present_or_not_reported")
fi

if [ "$STATUS" = "VULNERABLE" ]; then
  echo "VULNERABLE - ${DETAILS[*]}"
  exit 1
fi

echo "PATCHED - ${DETAILS[*]}"
exit 0
07 · Bottom Line

If you remember one thing.

TL;DR
Monday morning, do not burn emergency change capital on this one unless you have a very Android-heavy workforce using sensitive SSO or internal apps inside embedded WebViews. Inventory managed Android devices, confirm com.android.chrome and com.google.android.webview are at least 149.0.7827.53, and clean up laggards in the next normal mobile patch wave; for a LOW verdict there is no noisgate mitigation SLA and no noisgate remediation SLA beyond treating it as backlog hygiene, so document the rationale and keep it out of the front of the queue.

Sources

  1. Chrome Releases 2026 archive
  2. Chrome for Android Update (May 28, 2026)
  3. Early Stable Update for Desktop (May 29, 2026)
  4. Android Developers: Build web apps in WebView
  5. Google Play: Android System WebView
  6. CISA Known Exploited Vulnerabilities Catalog
  7. FIRST EPSS data and statistics
  8. Vulnerability-Lookup Chrome June 2026 batch search
Peer Review

What defenders are saying.

Submit a review attribution: handle + country only
0 flags selected · stored anonymously
Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.