← Back to Feed CACHED · 2026-05-17 09:42:19 · cache_key CVE-2025-29912
CVE-2026-11108 · CWE-269 · Disclosed 2026-06-04

Inappropriate implementation in NFC in Google Chrome on Android prior to 149

ASSESSED — NOISGATE V0.5
Vendor
Reassessed
Verdict:
01 · The Real Story

This is a trapdoor behind a turnstile, not an open front door

CVE-2026-11108 is an *inappropriate implementation* bug in Chrome's NFC handling on Android. A malicious site can drive the vulnerable code path with crafted HTML, but the affected population is limited to Google Chrome on Android before 149.0.7827.53.

The vendor-style 8.8/HIGH score overstates operational risk for enterprise patching because it models the impact once the bug is reached, not the real-world friction required to reach it. Web NFC on Chrome for Android is gated behind top-level HTTPS, user gesture, user permission, visible unlocked page state, NFC-capable hardware, NFC being enabled, and usually an NFC interaction path at close range; that stack of prerequisites is why this behaves more like a medium-priority mobile client bug than a broad internet emergency.

"Downgraded to MEDIUM: this is Android-only and gated by Web NFC permission, user action, and likely physical NFC conditions."
02 · The Attack Path

4 steps from start to impact.

STEP 01

Land the victim on a crafted Android Chrome page

The attacker first needs a victim using Chrome on Android to browse to attacker-controlled HTML. The practical weapon here is just a phishing link, malvertising redirect, or in-app browser handoff that opens the page in managed or unmanaged mobile Chrome.
Conditions required:
  • Victim is running Chrome on Android
  • Installed version is earlier than 149.0.7827.53
  • Attacker can get the victim to open a malicious page
Where this breaks in practice:
  • This is not a server-side bug; there is no passive internet-wide exploitation path
  • Enterprise Android fleets often auto-update Chrome through Google Play or EMM-managed app policy
Detection/coverage: Version scanners and MDM inventory are the primary coverage. Network scanners cannot identify this reliably because the vulnerable surface is a client app, not a listening service.
STEP 02

Reach the Web NFC code path with browser-native NDEFReader

The page then has to invoke the browser's Web NFC surface, typically through NDEFReader. Chrome's own developer guidance says Web NFC is restricted to top-level frames, secure contexts, and methods such as scan() and write() require a user gesture and may trigger a permission prompt.
Conditions required:
  • Page is loaded over HTTPS
  • Page is a top-level visible frame
  • Victim performs a user gesture
  • Victim grants NFC access if not already granted
Where this breaks in practice:
  • Permission prompts kill commodity exploit chains
  • Top-level-frame and HTTPS requirements remove many ad-tech and embedded-widget abuse paths
  • Browser permission resets and managed profile settings can block or wipe prior grants
Detection/coverage: Browser telemetry may show NFC permission prompts or site permission grants, but most enterprise tools do not deeply inspect mobile browser API usage.
STEP 03

Satisfy the physical-world NFC prerequisites

Chrome's Web NFC documentation states the phone must support NFC, NFC must be enabled, the page must remain visible, and the device must be unlocked. In normal use, successful scan/write workflows also require the phone to be brought close to an NFC tag, which adds a real physical-world prerequisite to exploitation.
Conditions required:
  • Android device has NFC hardware
  • NFC is enabled
  • Screen is unlocked and page remains visible
  • Victim performs the NFC interaction path
Where this breaks in practice:
  • Many enterprise phones have NFC disabled unless needed for business workflows
  • Physical proximity to a tag or deliberate NFC action is a major reachability reducer
  • Backgrounded pages and locked screens suspend NFC operations
Detection/coverage: There is little perimeter visibility here. MDM posture data about NFC state and device model gives better signal than SOC tooling.
STEP 04

Trigger the flawed NFC implementation for privilege escalation

Once the vulnerable NFC path is reached, the crafted page can trigger the implementation flaw and elevate privileges within the browser/app context. The impact may be serious on a single device, but the exploit chain is still gated by every earlier step, which sharply limits realistic campaign scale.
Conditions required:
  • All prior Web NFC and device prerequisites are satisfied
  • Target remains on a vulnerable Chrome build
Where this breaks in practice:
  • No public exploit or active-campaign reporting was found
  • Chrome's own release material classifies the underlying Chromium security severity as *Medium*
Detection/coverage: Exploit-specific detection is poor today. Best coverage is preventive: app-version compliance, browser permission policy, and NFC state controls.
03 · Intelligence Metadata

The supporting signals.

In-the-wild statusNo evidence found of active exploitation, and CISA KEV does not list CVE-2026-11108 as of 2026-06-06.
Public PoC availabilityNo public PoC or exploit repo was found in primary-source checks. The Chromium issue (500517053) is not publicly readable without sign-in, which usually slows casual weaponization.
EPSSUser-supplied EPSS is 0.00035, which is extremely low and consistent with a bug that has multiple deployment and interaction gates.
KEV statusNot KEV-listed. No CISA date added or due date applies.
Vendor vs. Chromium severityThe supplied baseline is HIGH / 8.8, but the CVE description published through Chrome's CNA path says "Chromium security severity: Medium". That mismatch is the first clue that CVSS is overweighting theoretical impact.
CVSS vector interpretedCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H assumes network reachability with only user interaction. In practice, *UI:R* is doing a lot of work here because Web NFC adds extra gates beyond a simple page visit.
Affected versionsChrome on Android versions before 149.0.7827.53.
Fixed versionUpdate to 149.0.7827.53 or later. For this mobile app there is no distro-style backport story; protection is delivered through the Chrome app update channel.
Exposure / scanning realityThis is a client-side Android browser issue, so Shodan/Censys/FOFA are not meaningful exposure sources. You need MDM / EMM app inventory and Play/managed-Play compliance data, not internet scanning.
Disclosure and reporterDisclosed 2026-06-04. Chrome release notes show reported by Google on 2026-04-08 under issue 500517053.
04 · The Call

noisgate verdict.

Final Verdict
DOWNGRADED to MEDIUM (5.3/10)

The decisive downgrade factor is exploit reachability: this bug sits behind Android-only Web NFC controls that require user action, permissioning, and likely a real NFC interaction path. That makes the affected population and campaign scalability dramatically smaller than the raw 8.8 score suggests.

HIGH Affected version range and fixed version
HIGH Web NFC prerequisite analysis
MEDIUM Exact exploit chain details, because the Chromium bug is not publicly readable

Why this verdict

  • Physical-world gating reduced the score: Chrome's Web NFC flow requires top-level HTTPS, visible unlocked page state, user gesture, permission grant, NFC-capable hardware, NFC enabled, and usually tag proximity.
  • Client-only exposure reduced the score: this is Android Chrome, not an internet-facing daemon, so attackers cannot mass-scan and slam it the way they would a perimeter RCE.
  • No threat signal reduced the score: no KEV listing, no public PoC found, and the supplied EPSS of 0.00035 all argue against near-term broad weaponization.

Why not higher?

If this were a zero-click browser bug, a no-permission API path, or a sandbox escape with demonstrated exploitation, it would stay in HIGH or go higher. The real chain here is narrower: Android-only plus Web NFC plus user-and-device conditions is simply not broad enough to justify emergency treatment.

Why not lower?

It is still a privilege-escalation bug in Chrome, which is one of the most deployed applications on managed Android devices. If your organization uses NFC-enabled Android kiosks, field devices, badge workflows, or payment-adjacent mobile roles, the reachable subset is meaningful enough that this should not be ignored.

05 · Compensating Control

What to do — in priority order.

  1. Disable NFC where it is not a business requirement — Use EMM/MDM policy to turn off NFC on managed Android devices that do not need it. For a MEDIUM verdict there is no noisgate mitigation SLA; this is optional risk reduction, but it is the single best compensating control while you work through the 365-day remediation window.
  2. Reset or deny Chrome NFC site permissions — Where your mobile management stack supports it, clear prior site permissions or enforce restrictive browser permission defaults so hostile pages cannot reuse earlier NFC grants. There is no mitigation SLA for MEDIUM; apply as defense-in-depth on higher-risk Android cohorts such as kiosks, shared devices, and field phones.
  3. Prioritize managed Android cohorts with NFC workflows — Segment devices used for badge scanning, asset tagging, retail, logistics, or kiosk workflows because those are the fleets most likely to satisfy the NFC prerequisite chain. For MEDIUM, there is no mitigation SLA — go straight to the 365-day remediation window, but these cohorts deserve first patch priority inside that window.
  4. Use mobile URL filtering and Safe Browsing enforcement — This will not fix the bug, but it reduces the chance that users ever reach attacker-controlled pages that try to invoke Web NFC. Apply on managed Android browsers as standard hygiene while patching through the normal remediation cycle.
What doesn't work
  • A WAF or perimeter IPS does not help much because the vulnerable target is the user's mobile browser, not your internet-facing application.
  • Shodan/Censys exposure hunting does not help because there is no remotely enumerable service footprint for Chrome on Android.
  • Generic email attachment blocking is not enough by itself; the realistic initial access is just a link to a malicious page, not necessarily a downloadable file.
06 · Verification

Crowdsourced verification payload.

Run this from an auditor workstation that has adb installed and authorized access to the target Android device. Invoke it as ./check_cve_2026_11108.sh <device-serial>; example: ./check_cve_2026_11108.sh R58N123ABCD. It needs access to adb shell dumpsys package com.android.chrome; root is not required, but USB debugging or enterprise ADB access is.

noisgate-verify.sh
BASHREAD-ONLYSAFE
#!/usr/bin/env bash
# check_cve_2026_11108.sh
# Verifies whether Google Chrome on an attached Android device is older than 149.0.7827.53.
# Output: VULNERABLE / PATCHED / UNKNOWN
# Exit codes: 0=PATCHED, 1=VULNERABLE, 2=UNKNOWN

set -u

TARGET_FIXED="149.0.7827.53"
PKG="com.android.chrome"

usage() {
  echo "Usage: $0 <device-serial>" >&2
  exit 2
}

ver_to_ints() {
  local IFS='.'
  local parts=($1)
  printf "%d %d %d %d\n" \
    "${parts[0]:-0}" "${parts[1]:-0}" "${parts[2]:-0}" "${parts[3]:-0}"
}

ver_lt() {
  local a b c d w x y z
  read -r a b c d <<< "$(ver_to_ints "$1")"
  read -r w x y z <<< "$(ver_to_ints "$2")"

  [[ $a -lt $w ]] && return 0
  [[ $a -gt $w ]] && return 1
  [[ $b -lt $x ]] && return 0
  [[ $b -gt $x ]] && return 1
  [[ $c -lt $y ]] && return 0
  [[ $c -gt $y ]] && return 1
  [[ $d -lt $z ]] && return 0
  return 1
}

[[ $# -eq 1 ]] || usage
SERIAL="$1"

if ! command -v adb >/dev/null 2>&1; then
  echo "UNKNOWN: adb not found in PATH"
  exit 2
fi

if ! adb -s "$SERIAL" get-state >/dev/null 2>&1; then
  echo "UNKNOWN: device $SERIAL not reachable via adb"
  exit 2
fi

RAW_VERSION=$(adb -s "$SERIAL" shell dumpsys package "$PKG" 2>/dev/null | sed -n 's/.*versionName=\([^[:space:]]*\).*/\1/p' | head -n1 | tr -d '\r')

if [[ -z "$RAW_VERSION" ]]; then
  echo "UNKNOWN: could not read Chrome version or package $PKG is absent"
  exit 2
fi

if [[ ! "$RAW_VERSION" =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
  echo "UNKNOWN: unexpected version format: $RAW_VERSION"
  exit 2
fi

if ver_lt "$RAW_VERSION" "$TARGET_FIXED"; then
  echo "VULNERABLE: Chrome $RAW_VERSION is older than fixed version $TARGET_FIXED"
  exit 1
else
  echo "PATCHED: Chrome $RAW_VERSION is at or newer than fixed version $TARGET_FIXED"
  exit 0
fi
07 · Bottom Line

If you remember one thing.

TL;DR
Monday morning, do not treat this like a perimeter fire drill. Pull an MDM/EMM report for Chrome on Android < 149.0.7827.53, tag the subset of devices that actually use NFC-enabled workflows, and patch those first. Because the reassessed verdict is MEDIUM, there is no noisgate mitigation SLA — go straight to the 365-day remediation window; the noisgate remediation SLA is ≤ 365 days for the actual Chrome update, with optional compensating controls now for kiosk, field, and shared Android devices that keep NFC enabled.

Sources

  1. Chrome Releases archive for June 2026
  2. Chrome for Android Update (149.0.7827.48 rollout)
  3. Web NFC on Chrome for Android documentation
  4. CIRCL Vulnerability Lookup entry for CVE-2026-11108
  5. CISA Known Exploited Vulnerabilities catalog
  6. FIRST EPSS API documentation
  7. Google Chrome update instructions for Android
Peer Review

What defenders are saying.

Submit a review attribution: handle + country only
0 flags selected · stored anonymously
Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.