01 · The Real Story
This is a fake badge at the front desk, not a master key to the building
CVE-2026-11172 is a security UI spoofing flaw in Google Chrome on Android involving the Contact Picker. A malicious site can abuse the browser's UI flow so the user sees misleading trust signals while interacting with attacker-controlled content, enabling phishing-style deception. Based on the vendor description, affected builds are Chrome on Android prior to 149.0.7827.53.
Google's HIGH 8.8 rating is technically explainable from a generic network/user-interaction template, but it overstates enterprise risk. This bug does not give the attacker code execution, sandbox escape, persistence, or silent data theft by itself; it gives them a better costume for a phishing page. The decisive downgrade factors are Android-only scope, required user interaction, per-victim blast radius, and the fact that modern email/web filtering can still kill the campaign before the browser bug matters.
"High on paper, medium in practice: this is a user-driven Android phishing assist, not a remote device compromise."
02 · The Attack Path
4 steps from start to impact.
STEP 01
Lure the victim onto a malicious page
The attacker still needs a delivery mechanism: email, SMS, QR code, chat link, ad traffic, or a compromised site. This is not self-propagating and not internet-wormable; it only matters after a user opens attacker-controlled content in Chrome on Android.
Conditions required:
- Target is using Chrome on Android
- Installed Chrome version is earlier than 149.0.7827.53
- User visits an attacker-controlled or attacker-influenced page
Where this breaks in practice:
- Email security, SMS filtering, Safe Browsing, and URL reputation can block the campaign before exploit conditions exist
- Many enterprises have limited business reliance on Android Chrome for sensitive admin workflows
Detection/coverage: Traditional vuln scanners will not see exploit attempts. Detection is mostly upstream in mail/web filtering, Safe Browsing events, and mobile telemetry showing outdated Chrome versions.
STEP 02
Spend the user's gesture on privileged UI
The malicious page needs the victim to tap or otherwise interact so it can invoke
navigator.contacts.select() and present the Contact Picker flow. Public Chromium material for this bug class shows Contact Picker plus fullscreen/UI redressing can be combined to suppress or confuse security indicators during the same interaction sequence.Conditions required:
- A real user gesture is required
- The page can invoke Contact Picker in a secure top-level context
Where this breaks in practice:
- No-click exploitation is off the table
- User-activation gating limits automation and mass exploitation reliability
Detection/coverage: There is poor signature-based coverage. Browser-side abuse may appear only as normal web interaction unless paired with phishing telemetry or suspicious fullscreen/navigation behavior.
STEP 03
Spoof trust signals during the picker flow
The vulnerable behavior lets the attacker present misleading browser/security UI so the victim misreads who is asking for what. In practice, this is a credibility amplifier for phishing: the page looks more trustworthy than it should while the user is making a decision.
Conditions required:
- Victim must perceive the spoofed UI as legitimate
- The device form factor and mobile viewport must make origin verification harder
Where this breaks in practice:
- Users still must be fooled; the bug does not force data disclosure on its own
- Small timing and UX differences often reduce reliability across Android versions and OEM skins
Detection/coverage: No meaningful network IOC is inherent to the UI flaw itself. Detection shifts to phishing-domain monitoring, browser exploit telemetry, and user reports.
STEP 04
Capture data or induce a bad decision
If the spoof works, the attacker can trick the victim into sharing selected contacts, entering credentials into a fake form, or trusting a malicious workflow. The impact is per-user and campaign-dependent rather than deterministic compromise of the browser or device.
Conditions required:
- Victim proceeds with the spoofed workflow
- Attacker has a collection endpoint for stolen data or harvested contacts
Where this breaks in practice:
- MFA, passkeys, conditional access, and anti-phishing controls can still blunt post-capture impact
- Blast radius is generally limited to the individual user session or account
Detection/coverage: Look for downstream account protection alerts, impossible-travel logins, credential phishing detections, and mobile browser version drift.
03 · Intelligence Metadata
The supporting signals.
| In-the-wild status | No evidence of active exploitation located in authoritative sources reviewed, and not KEV-listed. |
|---|---|
| Public PoC availability | No public PoC located for this exact CVE. However, Chromium issue 40057591 documents the same Contact Picker + fullscreen security UI spoofing class, so the attack concept is not theoretical. |
| EPSS | Very low. User-provided intel says 0.0007; public aggregators around disclosure show similarly negligible values, which fits a niche client-side phishing assist rather than a broadly weaponized browser RCE. |
| KEV status | Not listed in CISA's Known Exploited Vulnerabilities Catalog. |
| CVSS vector reality check | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H assumes severe downstream consequences after user deception. In practice, UI:R is the whole story here: the attacker must win a phishing interaction before any harm occurs. |
| Affected versions | Google Chrome on Android prior to 149.0.7827.53. This is a platform-limited browser bug, not a server-side exposure. |
| Fixed version | Upgrade to Chrome 149.0.7827.53 or later on Android. Android stable releases typically inherit the corresponding desktop security fixes unless noted otherwise by Google. |
| Scanning / exposure data | Not internet-scannable in the Shodan/Censys sense because this is a client-side mobile browser vulnerability. Exposure is measured by fleet version inventory, not open ports or banners. |
| Disclosure date | 2026-06-04 per the provided intel and public aggregators. |
| Reporter / researcher | No public attribution found for this exact CVE in the sources reviewed. Chromium has public reports for adjacent UI spoofing cases, but I would not claim a named reporter for this CVE without a primary advisory. |
04 · The Call
noisgate verdict.
Final Verdict
↓ DOWNGRADED to MEDIUM (4.8/10)
The single biggest downgrade driver is that this bug requires a live user to enter an attacker-controlled browser flow and be fooled by spoofed UI. That makes it a phishing amplifier with per-user blast radius, not a remotely exploitable browser takeover with fleet-wide operational impact.
HIGH Severity downgrade from vendor HIGH to noisgate MEDIUM
MEDIUM Exact exploit choreography for this specific CVE versus adjacent Chromium bug-class reports
Why this verdict
- Requires user interaction: the attacker cannot silently trigger impact; they need a victim to tap into a deceptive flow.
- Android Chrome only: this is not a cross-platform Chrome emergency and not a server-side exposure affecting shared enterprise infrastructure.
- UI spoofing is downstream-impact dependent: the bug does not directly execute code, escape sandboxing, or persist on the device; harm depends on what the victim does next.
- Exposure population is narrower than the CVSS suggests: only devices with vulnerable Android Chrome builds, reachable by a phishing campaign, and used for sensitive workflows are materially at risk.
- No KEV and no active exploitation evidence: absent exploitation pressure, the real-world urgency is lower than a browser memory-corruption bug with working exploit chains.
- Modern controls break the chain before and after the bug: email/web filtering, Safe Browsing, MFA, passkeys, and conditional access all reduce practical impact.
Why not higher?
This does not look like a pre-auth browser RCE, sandbox escape, or universal account bypass. Even if the spoof is convincing, the attacker still needs delivery, a click, successful deception, and then a second-stage outcome such as credential entry or contact sharing. That compound friction is exactly why the vendor's 8.8 does not survive contact with reality.
Why not lower?
It is still a browser trust-boundary failure in a widely deployed product, and mobile UI spoofing can materially improve phishing conversion. For organizations with Android-heavy workforces, especially where users handle SSO or approvals on phones, this can still produce credential theft or data disclosure. That keeps it above backlog hygiene.
05 · Compensating Control
What to do — in priority order.
- Force Chrome auto-update on Android — Use Managed Google Play / EMM / MDM policy to drive Chrome 149.0.7827.53+ across enrolled Android devices. For a MEDIUM verdict there is no mitigation SLA, so treat this as normal patching and complete it within the 365-day remediation window.
- Block risky link delivery paths — Tighten mail, SMS, chat, and QR-code link protections because this bug only matters after a user reaches attacker-controlled content. Prioritize phishing-resistant filtering now; for MEDIUM, there is no mitigation SLA — go straight to the 365-day remediation window for the software fix.
- Enforce phishing-resistant auth — Require passkeys, FIDO2, or strong MFA with conditional access for mobile sign-ins so a spoofed UI has less payoff even if a user is fooled. This does not replace patching, but it sharply reduces account-takeover value while you work through the 365-day remediation window.
- Inventory Android browser drift — Report devices still on vulnerable Chrome builds and separate managed from BYOD/unmanaged populations. This is the right control for a client-side bug because internet scanning is useless here; for MEDIUM, close the version gap within the 365-day remediation window.
What doesn't work
- A network IPS signature will not save you here; this is a browser UI deception issue, not a stable exploit packet pattern.
- Perimeter vulnerability scanning does not measure exposure because there is no service banner or listening port to fingerprint.
- Password rotation alone is weak compensation; if the attacker captures fresh credentials through spoofing, rotated passwords without phishing-resistant MFA still lose.
06 · Verification
Crowdsourced verification payload.
Run this from an auditor workstation with ADB installed against a USB- or network-connected Android device. Invoke it as ./check_chrome_android_cve_2026_11172.sh <device-serial>; it needs no root on the phone, but the device must allow ADB and expose package info.
#!/usr/bin/env bash
# check_chrome_android_cve_2026_11172.sh
# Determine whether Google Chrome on an Android device is vulnerable to CVE-2026-11172
# Vulnerable if com.android.chrome version is less than 149.0.7827.53
# Exit codes: 0=PATCHED, 1=VULNERABLE, 2=UNKNOWN, 3=usage/dependency error
set -u
PKG="com.android.chrome"
FIXED="149.0.7827.53"
if ! command -v adb >/dev/null 2>&1; then
echo "UNKNOWN - adb not found in PATH"
exit 3
fi
if [ "$#" -ne 1 ]; then
echo "Usage: $0 <device-serial>"
exit 3
fi
SERIAL="$1"
adb -s "$SERIAL" get-state >/dev/null 2>&1
if [ "$?" -ne 0 ]; then
echo "UNKNOWN - device $SERIAL not reachable via adb"
exit 2
fi
VERSION_LINE=$(adb -s "$SERIAL" shell dumpsys package "$PKG" 2>/dev/null | tr -d '\r' | grep -m1 'versionName=')
if [ -z "$VERSION_LINE" ]; then
echo "UNKNOWN - package $PKG not found or package info unavailable"
exit 2
fi
VERSION="${VERSION_LINE#*versionName=}"
VERSION="$(echo "$VERSION" | awk '{print $1}')"
normalize_version() {
# Convert dotted version into zero-padded comparable string
# Non-numeric suffixes are stripped per segment.
local ver="$1"
local IFS='.'
read -r -a parts <<< "$ver"
local out=""
local i part num
for i in 0 1 2 3; do
part="${parts[$i]:-0}"
num="$(echo "$part" | sed 's/[^0-9].*$//')"
[ -z "$num" ] && num=0
out+=$(printf '%08d' "$num")
done
echo "$out"
}
INSTALLED_NORM=$(normalize_version "$VERSION")
FIXED_NORM=$(normalize_version "$FIXED")
if [ -z "$INSTALLED_NORM" ] || [ -z "$FIXED_NORM" ]; then
echo "UNKNOWN - failed to parse version (installed: $VERSION)"
exit 2
fi
if [[ "$INSTALLED_NORM" < "$FIXED_NORM" ]]; then
echo "VULNERABLE - $PKG version $VERSION is older than fixed $FIXED"
exit 1
else
echo "PATCHED - $PKG version $VERSION is at or newer than fixed $FIXED"
exit 0
fi
07 · Bottom Line
If you remember one thing.
TL;DR
Monday morning: pull your Android Chrome inventory, identify managed devices below 149.0.7827.53, and roll the update through EMM/Managed Google Play as routine browser hygiene. For this MEDIUM reassessment there is no noisgate mitigation SLA — go straight to the 365-day remediation window; the noisgate remediation SLA is ≤ 365 days. I would still clean up vulnerable managed devices this quarter because browser updates are cheap, but this should not jump ahead of exploited RCEs, auth bypasses, or server-side edge bugs.
Sources
- Chrome Releases: Chrome for Android Update (149.0.7827.48 early stable)
- Chrome Releases: Early Stable Update for Desktop (149.0.7827.53/.54)
- Chrome Developers: Contact Picker API
- Chromium issue 40057591: Security UI Spoofing on Chrome for Android due to Contact permission dialog/fullscreen interaction
- Chromium issue 499476146: Address Bar Spoofing via Fullscreen API & UI Redressing on Chrome Android
- CISA Known Exploited Vulnerabilities Catalog
- FIRST EPSS overview
- Quanteta CVE Tracker entry showing public aggregation for CVE-2026-11172
Peer Review
What defenders are saying.
Submit a review
attribution: handle + country only
0 flags selected · stored anonymously
Validation Results
Crowdsourced verification outputs.
Results submitted by users who ran the verification payload against their environment.