← Back to Feed CACHED · 2026-05-17 09:42:19 · cache_key CVE-2025-29912
CVE-2026-11148 · CWE-352 · Disclosed 2026-06-04

Inappropriate implementation in Payments in Google Chrome on Android prior to 149

ASSESSED — NOISGATE V0.5
Vendor
Reassessed
Verdict:
01 · The Real Story

This is a peephole in a locked apartment, not a blown-open front door

CVE-2026-11148 is a Chrome for Android Payments bug that can expose cross-origin data before version 149.0.7827.53. The public record says it is a *local attacker* issue triggered with a crafted HTML page, which matters: this is not a server bug and not a one-packet internet exploit. The affected population is Android Chrome clients below 149.0.7827.53, with impact limited to confidentiality rather than code execution, persistence, or sandbox escape.

The vendor's 6.5/MEDIUM is defensible in a vacuum, but it still overstates the operational urgency for a 10,000-host enterprise patch queue. The attack path is constrained by platform scope (Android only), client-side reachability, required user interaction, and the unusually important prerequisite implied by *local attacker* in the CNA text. That combination pushes this down from 'patch now' to 'patch in normal mobile/browser hygiene,' unless you have a high-risk Android fleet handling sensitive payments or regulated browser sessions.

"This is a narrow Android client-side data leak that needs user action and likely local foothold, not an enterprise fire drill."
02 · The Attack Path

3 steps from start to impact.

STEP 01

Land on the Android device

The attacker first needs a realistic path onto the target handset or into the victim's browsing flow. Given the CNA description says *local attacker*, the practical model is a malicious app, an already-compromised device, or another local execution context that can drive Chrome to attacker-controlled content; the public record does not support unauthenticated internet-wide exploitation by itself. Weaponized tool: bespoke malicious Android app or local launcher; no public PoC is available.
Conditions required:
  • Target runs Chrome on Android prior to 149.0.7827.53
  • Attacker has local foothold on the device or another reliable way to open crafted content in vulnerable Chrome
  • Victim uses Chrome rather than another browser
Where this breaks in practice:
  • Enterprise Android fleets often block sideloading and unknown sources
  • Play Protect, MDM app allowlisting, and mobile threat defense reduce malicious-app reach
  • Android-only scope immediately shrinks the exposed population
Detection/coverage: Traditional vulnerability scanners have poor visibility into browser-bug triggerability. MDM/UEM can usually identify installed Chrome version, and mobile threat defense may catch the malicious-app precursor, not the browser flaw itself.
STEP 02

Trigger the Payments logic flaw

The attacker presents a crafted HTML page that exercises the vulnerable Payments code path inside Chrome for Android. Based on the public description, the bug crosses an origin boundary and leaks data rather than executing code. Weaponized tool: crafted HTML/JavaScript page; Chromium bug 501738451 remains access-restricted, so exploit details are not public.
Conditions required:
  • Victim opens the crafted page in vulnerable Chrome for Android
  • The vulnerable Payments path is reachable in that session
  • User interaction occurs, consistent with the UI:R vector
Where this breaks in practice:
  • No public exploit recipe lowers copycat risk
  • Payments-specific preconditions usually mean more brittle reproduction than generic DOM bugs
  • Browser hardening and site isolation reduce adjacent bug chaining value
Detection/coverage: Network IDS/IPS will not reliably detect this. Browser crash telemetry is unlikely to help because this is described as a data leak, not a memory-corruption crash.
STEP 03

Exfiltrate whatever cross-origin data is exposed

If the victim also has relevant authenticated state or sensitive page context, the attacker can extract exposed cross-origin data and ship it off-device. The blast radius is per-user, per-session, and confidentiality-focused. Weaponized tool: normal web exfiltration over HTTPS; no public campaign or exploit kit has been tied to this CVE.
Conditions required:
  • Victim has useful session state or sensitive data available to leak
  • Outbound network access exists for exfiltration
  • The leaked data is valuable enough to matter operationally
Where this breaks in practice:
  • Impact is limited to data exposure, not full browser or device takeover
  • No integrity or availability impact is documented
  • Per-session targeting makes this much less scalable than wormable or service-side bugs
Detection/coverage: Web proxy/DLP may catch suspicious exfil domains, but there is no signature-grade detection for the vulnerability itself.
03 · Intelligence Metadata

The supporting signals.

In-the-wild statusNo public evidence of active exploitation found. CISA ADP enrichment marks Exploitation: none, and the CVE is not in KEV.
PoC availabilityNo public PoC or weaponized repo located in accessible sources. The Chromium issue is access-restricted, which usually delays copycat exploit development.
EPSS0.00008 (*user-supplied intel*), which is effectively floor-level exploitation probability. Percentile was not independently confirmed from accessible FIRST results.
KEV statusNot KEV-listed as of 2026-06-06 based on the official CISA KEV catalog and the absence of a KEV reference in the public record.
CVSS vectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N → remote content trigger on paper, but with required user interaction and confidentiality-only impact; the CNA description's *local attacker* wording is the real downward-pressure factor.
Affected versionsGoogle Chrome on Android prior to 149.0.7827.53.
Fixed versionUpdate Chrome on Android to 149.0.7827.53 or later. Desktop 149.0.7827.53/.54 shipped on 2026-06-02; Android 149.0.7827.48 early stable started on 2026-05-28, and the CVE record ties the Android fix boundary to 149.0.7827.53.
Exposure/scanning realityInference: Shodan/Censys/FOFA/GreyNoise are largely irrelevant here because this is a client-side Android browser flaw, not an internet-facing service. Your exposure question is fleet inventory coverage, not open-port census.
Disclosure timelineCVE published 2026-06-04; NVD last modified 2026-06-06. Google lists the bug as reported by Google on 2026-04-11 in the Chrome 149 stable notes.
Researcher / reporterReported by Google, not an external researcher bounty submission, per the Chrome 149 stable-channel advisory.
04 · The Call

noisgate verdict.

Final Verdict
DOWNGRADED to LOW (3.7/10)

The decisive factor is the prerequisite stack: Android-only, client-side, user-driven, and described by the CNA as a local attacker issue. That combination means this is not a broad initial-access primitive and not a scalable enterprise-wide compromise vector, despite the scary-sounding cross-origin leak language.

HIGH Affected/fixed version boundary and vendor baseline
MEDIUM Interpretation that *local attacker* materially narrows real-world reachability
HIGH No active exploitation / no KEV / no public PoC in accessible sources

Why this verdict

  • Local-attacker wording cuts hard against urgency — the CNA description itself says *local attacker*, which implies the adversary is already on the handset or has another on-device execution path.
  • Android-only client population is narrower — this is not Chrome across all platforms and not a shared server component; only Android Chrome clients below 149.0.7827.53 are in scope.
  • Impact is confidentiality-only — no code execution, no sandbox escape, no persistence, and no availability hit are documented.
  • User interaction is still required — the victim must open or engage with crafted content, which reduces automation and mass-exploitation value.
  • Threat intel is cold — no KEV entry, no public exploitation evidence, no public PoC, and an extremely low EPSS all argue against near-term attacker demand.

Why not higher?

It does not clear the bar for MEDIUM-or-higher operational urgency because the reachable population is constrained and the attack does not produce device takeover. If this were unauthenticated remote, cross-platform, or paired with public exploitation evidence, the score would climb fast.

Why not lower?

It is still a real same-origin boundary failure in a widely deployed browser, and confidentiality impact can matter if the user is sitting on authenticated sessions. Browser bugs also age poorly once root cause diffing becomes easier after broad patch adoption.

05 · Compensating Control

What to do — in priority order.

  1. Block unmanaged Android app installs — Reduce the most plausible precursor: a malicious local app that can drive vulnerable Chrome into attacker-controlled content. Enforce via MDM/UEM allowlisting and Play Protect policy; for a LOW verdict there is no mitigation SLA, so treat this as backlog hygiene and fold it into your normal mobile hardening baseline.
  2. Force Chrome auto-update on managed Android — Use enterprise mobility management to pin Chrome to auto-update from managed Play and close version lag on mobile browsers. For a LOW verdict there is no mitigation SLA and no separate urgent workaround requirement; keep it in routine browser maintenance.
  3. Constrain risky browsing contexts on mobile — For high-sensitivity user groups, route mobile browsing through managed work profiles, conditional access, and sanctioned app lists so a local malicious app has less room to stage the trigger. Again, for LOW this is normal-risk reduction, not an emergency change window.
What doesn't work
  • Perimeter firewalls do not solve this because the vulnerable surface is the client browser rendering crafted content, not an inbound service port.
  • Server-side WAF rules are weak compensation because the attacker-controlled content can be hosted anywhere and the bug lives in Chrome's client logic.
  • Password rotation does not address the root issue unless you have evidence specific browser session data was actually exposed.
06 · Verification

Crowdsourced verification payload.

Run this on an auditor workstation with adb installed and USB debugging or enterprise shell access to the Android device. Invoke it as ./check_chrome_android_cve_2026_11148.sh SERIAL (example: ./check_chrome_android_cve_2026_11148.sh emulator-5554). No root is required, but you need permission to query package metadata on the target device.

noisgate-verify.sh
BASHREAD-ONLYSAFE
#!/usr/bin/env bash
# check_chrome_android_cve_2026_11148.sh
# Checks whether Google Chrome on an attached Android device is below 149.0.7827.53
# Output: VULNERABLE / PATCHED / UNKNOWN
# Exit codes: 0=PATCHED, 1=VULNERABLE, 2=UNKNOWN, 3=usage/dependency error

set -u

FIXED_VERSION="149.0.7827.53"
PACKAGE="com.android.chrome"

usage() {
  echo "Usage: $0 <adb-serial>"
  exit 3
}

if [ $# -ne 1 ]; then
  usage
fi

SERIAL="$1"

if ! command -v adb >/dev/null 2>&1; then
  echo "UNKNOWN - adb not found in PATH"
  exit 3
fi

adb -s "$SERIAL" get-state >/dev/null 2>&1
if [ $? -ne 0 ]; then
  echo "UNKNOWN - device not reachable via adb: $SERIAL"
  exit 2
fi

VERSION_LINE=$(adb -s "$SERIAL" shell dumpsys package "$PACKAGE" 2>/dev/null | tr -d '\r' | grep -m1 'versionName=')
if [ -z "$VERSION_LINE" ]; then
  echo "UNKNOWN - could not read Chrome package metadata (package missing or restricted)"
  exit 2
fi

INSTALLED_VERSION=${VERSION_LINE#*=}
INSTALLED_VERSION=$(echo "$INSTALLED_VERSION" | awk '{print $1}')

normalize_version() {
  local ver="$1"
  local IFS='.'
  local parts
  read -r -a parts <<< "$ver"
  while [ ${#parts[@]} -lt 4 ]; do
    parts+=(0)
  done
  printf "%d %d %d %d\n" "${parts[0]}" "${parts[1]}" "${parts[2]}" "${parts[3]}"
}

compare_versions() {
  # returns 0 if equal, 1 if first > second, 2 if first < second
  local a b i
  read -r -a a <<< "$(normalize_version "$1")"
  read -r -a b <<< "$(normalize_version "$2")"
  for i in 0 1 2 3; do
    if [ "${a[$i]}" -gt "${b[$i]}" ]; then
      return 1
    fi
    if [ "${a[$i]}" -lt "${b[$i]}" ]; then
      return 2
    fi
  done
  return 0
}

compare_versions "$INSTALLED_VERSION" "$FIXED_VERSION"
CMP=$?

if [ $CMP -eq 2 ]; then
  echo "VULNERABLE - Chrome $INSTALLED_VERSION < $FIXED_VERSION on device $SERIAL"
  exit 1
elif [ $CMP -eq 0 ] || [ $CMP -eq 1 ]; then
  echo "PATCHED - Chrome $INSTALLED_VERSION >= $FIXED_VERSION on device $SERIAL"
  exit 0
else
  echo "UNKNOWN - version comparison failed for $INSTALLED_VERSION"
  exit 2
fi
07 · Bottom Line

If you remember one thing.

TL;DR
Monday morning: pull your managed Android Chrome inventory, identify devices below 149.0.7827.53, and push them through the next routine mobile/browser update wave rather than blowing up the patch board. For a LOW noisgate verdict there is noisgate mitigation SLA: no SLA (treat as backlog hygiene) and noisgate remediation SLA: no SLA (treat as backlog hygiene), so document the downgrade rationale, keep an eye out for any later PoC or exploitation evidence, and close it in normal fleet hygiene instead of emergency operations.

Sources

  1. NVD CVE-2026-11148
  2. Chrome Releases: Stable Channel Update for Desktop (Chrome 149)
  3. Chrome Releases: Early Stable Update for Desktop
  4. Chrome Releases: Chrome for Android Update
  5. Chromium issue 501738451
  6. Vulnerability-Lookup entry for CVE-2026-11148
  7. CISA Known Exploited Vulnerabilities Catalog
  8. FIRST EPSS API documentation
Peer Review

What defenders are saying.

Submit a review attribution: handle + country only
0 flags selected · stored anonymously
Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.