← Back to Feed CACHED · 2026-05-17 09:42:19 · cache_key CVE-2025-29912
CVE-2026-11167 · CWE-250 · Disclosed 2026-06-04

Inappropriate implementation in WebView in Google Chrome on Android prior to 149

ASSESSED — NOISGATE V0.5
Vendor
Reassessed
Verdict:
01 · The Real Story

This is the second lock on the door, not the burglar getting through the front gate

CVE-2026-11167 is an Android-specific Chrome/WebView sandbox-escape condition: on versions prior to 149.0.7827.53, an attacker who has already compromised the renderer process can use a crafted HTML page to try to break into a more privileged browser context. That prerequisite matters more than the scary CVSS label. Affected population is Chrome on Android / Android WebView code before the fix train that landed in the 149.0.7827.x family; Android stable later shipped as 149.0.7827.59 with the same security fixes.

The vendor-side 9.6 CRITICAL score is mathematically correct for a hypothetical remote chain, but operationally inflated for enterprise patch triage because this bug is not initial access. Chrome itself tags it as *Chromium security severity: Medium*, and that lines up better with reality: no KEV entry, no public exploitation evidence, no public PoC, tiny EPSS, and the attacker must first land a separate renderer bug before this CVE even comes into play.

"Dangerous as a chain component, but not a fleet-wide emergency: the attacker already needs renderer compromise first."
02 · The Attack Path

4 steps from start to impact.

STEP 01

Land a renderer foothold with a separate bug

This CVE does nothing until the attacker already has code execution or equivalent control inside Chrome's renderer process. In practice that means a separate memory-corruption, UXSS, or policy-bypass bug must fire first; CVE-2026-11167 is a stage-two primitive, not the opener.
Conditions required:
  • Target is using vulnerable Chrome/WebView on Android
  • Attacker has a separate renderer-compromise primitive
  • User reaches attacker-controlled content
Where this breaks in practice:
  • Requires a second vulnerability or prior browser compromise
  • Modern Safe Browsing, site isolation, and renderer hardening shrink usable chains
  • No public exploit chain is available for this CVE
Detection/coverage: Traditional vuln scanners won't see the prerequisite chain. Detection is mostly indirect: browser crash telemetry, threat intel on companion renderer bugs, or mobile threat defense telemetry.
STEP 02

Trigger the WebView implementation flaw

Once inside the renderer, the attacker serves or navigates to crafted HTML intended to exercise the vulnerable WebView implementation path. The bug is described as an inappropriate implementation issue rather than a straight memory corruption bug, which usually means exploit reliability depends on narrow state and browser internals.
Conditions required:
  • Renderer already compromised
  • Attacker can steer page content or navigation
  • Affected version is below 149.0.7827.53
Where this breaks in practice:
  • Issue details are not public from Chromium bug tracker
  • No weaponized tooling is publicly posted
  • Android/browser state may need to line up precisely
Detection/coverage: Network security tools see only ordinary web traffic. At best you may catch abnormal Chrome/WebView crashes or exploit-failure loops on the device.
STEP 03

Attempt sandbox escape

The exploit goal is to cross from the compromised renderer into a more privileged browser or system-facing context. That is serious when chained, but Android's sandboxing, SELinux, seccomp, and device-specific mitigations raise the bar compared with a pure renderer bug.
Conditions required:
  • Successful trigger of the vulnerable code path
  • Android device protections do not block the transition
  • Exploit is reliable on the target build/device mix
Where this breaks in practice:
  • Sandbox escapes are materially harder than renderer compromise alone
  • Exploit reliability varies across Android builds and OEM variants
  • Mobile exploit development cost is high without published internals
Detection/coverage: Mobile EDR/MTD may catch process abuse or privilege anomalies, but coverage is uneven across enterprise Android fleets.
STEP 04

Use post-sandbox privileges for follow-on actions

If the chain works, the attacker can pursue data access, stronger browser compromise, or additional device-level abuse. But the blast radius is still bounded by Android app/process security and by whether the attacker can chain beyond browser privilege.
Conditions required:
  • Sandbox escape succeeded
  • Attacker has follow-on payloads or objectives
  • Device management controls do not contain the session
Where this breaks in practice:
  • No evidence of in-the-wild campaigns using this CVE
  • Further privilege gains may need yet another step
  • Enterprise Android fleets often have MDM compliance controls and app update enforcement
Detection/coverage: Look for anomalous Chrome/WebView behavior, managed Play compliance drift, and device risk signals from MTD platforms rather than expecting classic perimeter visibility.
03 · Intelligence Metadata

The supporting signals.

In-the-wild statusNo confirmed exploitation found. I found no KEV listing and no public reporting of active campaigns using this CVE.
KEV statusNot listed in CISA KEV as of 2026-06-05; no due date pressure from KEV.
Proof-of-concept availabilityNo public PoC located. Chromium issue 502228856 is referenced, but public details are not exposed.
EPSSVery low. Your supplied value is 0.00062; third-party mirrors I checked show roughly 0.0003 class values, which all point the same way: low near-term exploitation probability.
CVSS and what it missesCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H yields 9.6, but CVSS does not model the real prerequisite that the attacker must already own the renderer.
Vendor vs Chromium severityCISA-ADP / vendor-facing score is CRITICAL 9.6, while the Chrome release notes describe it as Chromium security severity: Medium. For patch operations, Chromium's internal severity tracks reality better here.
Affected versionsGoogle Chrome on Android / WebView code before 149.0.7827.53.
Fixed versionsCode fix threshold is 149.0.7827.53; Android stable later shipped as Chrome for Android 149.0.7827.59, which the release notes say carries the desktop security fixes unless otherwise noted.
Exposure and scanning realityNot internet-fingerprintable in the usual sense. Shodan/Censys/FOFA-style exposure counts are the wrong model because this is a client-side Android browser/WebView issue, so population sizing comes from your MDM inventory, not external scanning.
Disclosure and reporterPublished by Chrome on 2026-06-04; Chrome release notes say it was reported by Google on 2026-04-13.
04 · The Call

noisgate verdict.

Final Verdict
DOWNGRADED to MEDIUM (6.4/10)

The decisive factor is the prerequisite: exploitation requires the attacker to have already compromised Chrome's renderer process, which makes this a stage-two browser-chain bug rather than an initial-entry bug. That sharply narrows both the reachable population and the number of real adversaries who can use it, despite the high theoretical impact after a successful chain.

HIGH Prerequisite analysis: this is post-renderer-compromise, not initial access
MEDIUM Exploitability estimate in enterprise Android fleets
MEDIUM Version/fix mapping between `149.0.7827.53` and Android stable `149.0.7827.59`

Why this verdict

  • Major downgrade for attacker position: exploitation requires a compromised renderer process first. That implies the attacker already burned another browser bug or equivalent compromise step before this CVE matters.
  • Population is narrower than desktop Chrome CVEs: this is Android Chrome/WebView, not a generic externally reachable enterprise service. Real exposure depends on your mobile fleet size and update drift, not on internet-facing attack surface.
  • Modern controls add friction: Safe Browsing, Chrome hardening, Android sandboxing, SELinux/seccomp, OEM mitigations, and MDM-driven auto-updates all reduce practical weaponization.
  • No field evidence: no KEV listing, no public exploitation reporting, and no public PoC materially lower urgency.
  • Tiny EPSS supports the downgrade: even if the exact mirrored value varies, the score is in the very low band.

Why not higher?

A higher rating would be justified if this were a one-click initial compromise or if there were active exploitation, KEV listing, or a public exploit chain. None of that is present here. The need for prior renderer compromise is a compounding friction point that CVSS fails to price in.

Why not lower?

This is still a sandbox-escape primitive in one of the most targeted software classes on the planet. If an attacker already has a renderer bug, this kind of CVE can be the difference between a crash and a full chain, so it is not backlog junk.

05 · Compensating Control

What to do — in priority order.

  1. Enforce browser auto-update — Use managed Google Play / MDM policy to require Chrome and Android System WebView auto-updates. For a MEDIUM verdict there is no mitigation SLA; treat this as standard hardening and complete the actual version uplift within the 365-day remediation window.
  2. Block stale Android browsers in compliance policy — Create an MDM compliance rule that flags or restricts devices running Chrome/WebView below the fixed train. This reduces long-tail exposure without needing emergency response; for MEDIUM, there is no mitigation SLA — go straight to remediation.
  3. Reduce risky browsing contexts — Where your MDM stack supports it, restrict unmanaged sideloaded browsers and keep users on the managed Chrome channel so fixes propagate predictably. This is a normal-risk control improvement to complete alongside remediation within 365 days.
  4. Watch for chained-browser activity — Tune MTD/EDR alerts for repeated Chrome/WebView crashes, exploit-style browser instability, and high-risk navigation patterns on corporate Android devices. This does not replace patching, but it gives you a chance to catch the separate renderer-stage bug this CVE depends on.
What doesn't work
  • A WAF does not meaningfully help; the vulnerable component is the client browser/WebView on Android, not your web app edge.
  • Perimeter network scanning does not help you find vulnerable assets; this is not an internet-facing daemon and won't show up as a neat external exposure count.
  • Desktop browser patch status is irrelevant; this CVE is specifically about Chrome/WebView on Android.
06 · Verification

Crowdsourced verification payload.

Run this from an auditor workstation that has adb installed and an authorized Android device connected. Invoke it as ./check_cve_2026_11167.sh SERIAL or ./check_cve_2026_11167.sh for the only attached device; it needs no root, but it does require USB debugging (or equivalent adb) access.

noisgate-verify.sh
BASHREAD-ONLYSAFE
#!/usr/bin/env bash
# check_cve_2026_11167.sh
# Verifies whether connected Android device has Chrome / Android System WebView
# versions affected by CVE-2026-11167.
#
# Logic:
# - Vulnerable if installed version is < 149.0.7827.53
# - Patched if installed version is >= 149.0.7827.53
# - Checks both Chrome and Android System WebView if present
#
# Exit codes:
# 0 = PATCHED
# 1 = VULNERABLE
# 2 = UNKNOWN / unable to determine

set -u

THRESHOLD="149.0.7827.53"
SERIAL_ARG="${1:-}"
ADB=(adb)
if [[ -n "$SERIAL_ARG" ]]; then
  ADB+=( -s "$SERIAL_ARG" )
fi

packages=("com.android.chrome" "com.google.android.webview")
found_any=0
vulnerable_any=0
unknown_any=0

version_ge() {
  # returns 0 if $1 >= $2
  local a b IFS=.
  read -r -a a <<< "$1"
  read -r -a b <<< "$2"
  local len=${#a[@]}
  if (( ${#b[@]} > len )); then len=${#b[@]}; fi
  for ((i=0; i<len; i++)); do
    local ai=${a[i]:-0}
    local bi=${b[i]:-0}
    if ((10#$ai > 10#$bi)); then return 0; fi
    if ((10#$ai < 10#$bi)); then return 1; fi
  done
  return 0
}

get_version() {
  local pkg="$1"
  "${ADB[@]}" shell dumpsys package "$pkg" 2>/dev/null | tr -d '\r' | awk -F= '/versionName=/{print $2; exit}'
}

# Basic adb connectivity check
if ! "${ADB[@]}" get-state >/dev/null 2>&1; then
  echo "UNKNOWN - adb device not available or unauthorized"
  exit 2
fi

echo "Checking threshold: $THRESHOLD"

for pkg in "${packages[@]}"; do
  ver="$(get_version "$pkg")"
  if [[ -z "$ver" ]]; then
    echo "$pkg: not installed or version unknown"
    unknown_any=1
    continue
  fi

  found_any=1
  echo "$pkg: installed version $ver"

  if version_ge "$ver" "$THRESHOLD"; then
    echo "$pkg: PATCHED"
  else
    echo "$pkg: VULNERABLE"
    vulnerable_any=1
  fi
done

if (( found_any == 0 )); then
  echo "UNKNOWN - neither Chrome nor Android System WebView version could be determined"
  exit 2
fi

if (( vulnerable_any == 1 )); then
  echo "VULNERABLE"
  exit 1
fi

if (( unknown_any == 1 )); then
  echo "UNKNOWN - at least one relevant package could not be evaluated"
  exit 2
fi

echo "PATCHED"
exit 0
07 · Bottom Line

If you remember one thing.

TL;DR
Monday morning, do not treat this like a Chrome zero-day fire drill. Pull an MDM inventory of Android devices running managed Chrome / Android System WebView, confirm which ones are below the fixed train, and fold them into your normal mobile-browser maintenance wave; for a MEDIUM verdict there is no noisgate mitigation SLA — go straight to the 365-day remediation window. Under the noisgate remediation SLA, complete remediation within 365 days by getting affected devices to 149.0.7827.53+ code level, noting that Android stable shipped the fixes in 149.0.7827.59.

Sources

  1. NVD record for CVE-2026-11167
  2. Chrome Releases: Stable Channel Update for Desktop
  3. Chrome Releases: Chrome for Android Update
  4. Chromium issue 502228856
  5. CVE.org record
  6. CISA Known Exploited Vulnerabilities Catalog
  7. VulDB entry for CVE-2026-11167
  8. Quanteta CVE tracker entry set
Peer Review

What defenders are saying.

Submit a review attribution: handle + country only
0 flags selected · stored anonymously
Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.