← Back to Feed CACHED · 2026-05-17 09:42:19 · cache_key CVE-2025-29912
CVE-2026-11175 · CWE-451 · Disclosed 2026-06-04

Incorrect security UI in Messages in Google Chrome on Android prior to 149

ASSESSED — NOISGATE V0.5
Vendor
Reassessed
Verdict:
01 · The Real Story

This is a fake security badge on the front door, not a broken lock

CVE-2026-11175 is a Chrome on Android UI spoofing flaw in the Messages component. A malicious site can trigger incorrect security UI on vulnerable Chrome for Android builds before 149.0.7827.53, letting an attacker make browser chrome or trust cues look more legitimate than they are via a crafted HTML page.

The vendor's HIGH 8.8 score overstates real enterprise risk. In practice this is not remote code execution, sandbox escape, or device takeover; it is a social-engineering assist that still requires the victim to open attacker-controlled content and then trust or act on a spoofed prompt or indicator. That makes it meaningful for phishing-resistant orgs, but not a drop-everything emergency.

"This is a phishing amplifier, not a fleet-compromise bug."
02 · The Attack Path

4 steps from start to impact.

STEP 01

Deliver a lure to mobile Chrome

The attacker uses a standard phishing workflow — email, SMS, chat, QR code, or ad redirect — to drive a target onto an attacker-controlled page in Chrome on Android. The only weaponized tooling needed here is a phishing kit or custom HTML/JS landing page; no exploit framework is required.
Conditions required:
  • Victim uses Chrome on Android
  • Chrome version is older than 149.0.7827.53
  • Attacker can get the user to open a malicious link
Where this breaks in practice:
  • Requires user interaction
  • Android-only scope cuts out desktop Chrome and iOS fleets
  • URL filtering, Safe Browsing, mobile threat defense, and mail filtering can stop the lure before the browser is involved
Detection/coverage: Network scanners will not find this well. Coverage is mainly MDM/EMM app inventory, Play-managed update reporting, and phishing telemetry.
STEP 02

Trigger the vulnerable Messages UI state

A crafted HTML page exercises the vulnerable Messages UI path and causes incorrect security UI rendering. The effective tool is simply custom HTML/JavaScript shaped to reach the vulnerable state; I found no public PoC or turnkey exploit kit tied to this CVE during research.
Conditions required:
  • The vulnerable UI path in Messages must be reachable from web content
  • The page must render successfully in the victim's browser session
Where this breaks in practice:
  • This is a spoofing primitive, not memory corruption
  • A lot of real users will bounce before the spoof is shown cleanly enough to matter
  • Browser/UI changes, locale differences, and device form factors can make spoof pages brittle
Detection/coverage: There is little CVE-specific telemetry. You may see only a suspicious page load, not a recognizable exploit signature.
STEP 03

Convert spoofed trust into user action

The attacker uses the fake browser/security cue to convince the target to trust a page, approve a workflow, or enter credentials. At this stage the weaponized tool is the phishing flow itself — fake login, fake warning, or fake verification prompt — rather than a technical post-exploitation chain.
Conditions required:
  • Victim must believe the spoofed indicator
  • Victim must take a follow-on action such as login, consent, or click-through
Where this breaks in practice:
  • Phishing-resistant MFA and conditional access sharply reduce payoff
  • Password managers and federated login UX often expose mismatches that break the scam
  • Security-aware users may notice URL, account context, or unusual flow timing
Detection/coverage: Identity telemetry can catch the consequence — suspicious sign-ins, impossible travel, MFA fatigue patterns — but not the UI spoof itself.
STEP 04

Abuse stolen trust outside the browser

If the user gives up credentials or approves a malicious action, the attacker pivots into account misuse, session hijack, or business-app fraud. The post-exploitation tooling is whatever the target service allows: web login reuse, token replay, or app-session abuse.
Conditions required:
  • User credentials, session material, or approval must be captured
  • Targeted accounts must have access worth abusing
Where this breaks in practice:
  • Blast radius is usually one user/account at a time
  • Enterprise SSO, device posture checks, and anomalous login detections can still block or contain follow-on abuse
  • No direct host compromise means EDR bypass value is limited
Detection/coverage: Look in IdP, CASB, and SaaS audit logs. Endpoint exploit telemetry is usually sparse because the vulnerability does not deliver code execution.
03 · Intelligence Metadata

The supporting signals.

In-the-wild statusNo confirmed exploitation found during research. No CISA KEV listing as of 2026-06-06.
Public PoC availabilityNo public PoC located for this specific CVE. Attack construction appears to be custom crafted HTML/JS, which lowers commoditization.
EPSS0.0007 from the prompt; that is extremely low exploitation probability. Percentile was not available from the retrieved primary-source data.
KEV statusNot listed in the CISA KEV catalog as of 2026-06-06.
CVSS vectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H from the prompt. The decisive field is UI:R: the attacker still needs the victim to engage with malicious content.
Affected versionsGoogle Chrome on Android prior to 149.0.7827.53.
Fixed version149.0.7827.53 or later. Chrome on Android is distributed through Google Play / managed Play.
Scanning / exposure realityInternet exposure scanners are basically irrelevant here because this is a client-side mobile browser flaw, not a remotely discoverable service. Your real exposure metric is fleet app-version inventory from EMM/MDM.
Disclosure timelinePrompt says disclosed 2026-06-04. Third-party aggregation showed public CVE visibility on 2026-06-05.
Researcher / reportingNot determined from retrieved primary sources. Google often withholds bug details until uptake improves, and I did not locate a primary source naming the reporter for this CVE.
04 · The Call

noisgate verdict.

Final Verdict
DOWNGRADED to MEDIUM (5.1/10)

The single biggest downward pressure is that this bug requires user interaction and only produces a spoofing condition, not code execution or sandbox escape. It matters because Chrome on Android is broadly deployed and trust-UI bugs can improve phishing conversion, but the blast radius remains per-user and post-click.

HIGH Affected version boundary and patched version
MEDIUM Real-world exploitability and enterprise impact

Why this verdict

  • UI:R is real friction — the attacker must get the user onto malicious content and then convince them to act on the spoof
  • Android-only scope narrows population compared with a cross-platform Chrome issue, which materially reduces reachable enterprise exposure
  • This is a spoofing primitive, not host compromise — no direct RCE, no sandbox breakout, and no automatic lateral movement from the bug itself
  • Low threat intel heat — no KEV entry, no confirmed in-the-wild activity, and an EPSS of 0.0007 all argue against emergency-tier handling
  • Widespread deployment keeps it above LOW — Chrome on Android is common in managed mobile fleets, so even a phishing helper can affect a lot of users if left stale

Why not higher?

A higher rating would need either active exploitation, a publicly weaponized PoC, or a path to direct device/browser compromise. None of those signals are present here. The chain also compounds friction: remote lure plus user click plus successful deception plus reusable business impact.

Why not lower?

It is not LOW because security UI is part of the trust boundary in a browser, especially on mobile where screen real estate hides context and users move quickly through auth flows. In enterprises that rely on mobile SSO, phishing-resistant design failures can still translate into credential theft or fraudulent approvals.

05 · Compensating Control

What to do — in priority order.

  1. Force Chrome auto-update through EMM — Use Managed Google Play / Android Enterprise policy to keep com.android.chrome current and block long-lived stale versions. For a MEDIUM noisgate verdict there is no mitigation SLA — go straight to the 365-day remediation window, but this is cheap hygiene and should be turned on now if it is not already.
  2. Constrain unmanaged mobile browsing — Where business apps depend on mobile web auth, require managed devices and managed browsers for sensitive workflows. There is no mitigation SLA for MEDIUM, so treat this as control hardening while completing remediation within 365 days.
  3. Lean on phishing-resistant auth — FIDO2/passkeys, number matching, and tight conditional access reduce the value of spoofed trust indicators because a fake page cannot easily replay possession-bound authentication. There is no mitigation SLA for MEDIUM, but this materially cuts consequence while the fleet ages out stale versions.
  4. Raise detections on mobile-origin phishing — Correlate mobile click telemetry, Safe Browsing blocks, IdP sign-in anomalies, and impossible-travel detections to catch the *follow-on abuse* this CVE is most likely to enable. Again, no mitigation SLA here; use the normal security engineering cycle while remediating the vulnerable app version inside 365 days.
What doesn't work
  • A network vuln scanner will not meaningfully surface this, because the exposed thing is a mobile client app version, not a listening service.
  • EDR exploit prevention tuned for memory corruption is the wrong control family; this bug is about deception/UI trust, not shellcode execution.
  • A WAF does not solve a client-side phishing/spoofing issue in users' browsers unless your entire threat model is only your own web apps.
06 · Verification

Crowdsourced verification payload.

Run this from an auditor workstation with adb installed against a USB-connected or network-connected Android device that has developer access authorized. Example: python check_chrome_android_cve_2026_11175.py --serial R58N1234567. It needs permission to run adb shell dumpsys package com.android.chrome; no root is required.

noisgate-verify.py
PYTHONREAD-ONLYSAFE
#!/usr/bin/env python3
# Check Google Chrome on Android for CVE-2026-11175
# Outputs: VULNERABLE / PATCHED / UNKNOWN
# Exit codes: 0=PATCHED, 1=VULNERABLE, 2=UNKNOWN, 3=usage/dependency error

import argparse
import re
import shutil
import subprocess
import sys

FIXED = (149, 0, 7827, 53)
PKG = "com.android.chrome"


def parse_version(v):
    m = re.findall(r"\d+", v or "")
    if len(m) < 4:
        return None
    return tuple(int(x) for x in m[:4])


def cmp_ver(a, b):
    return (a > b) - (a < b)


def run(cmd):
    try:
        p = subprocess.run(cmd, stdout=subprocess.PIPE, stderr=subprocess.PIPE, text=True, check=False)
        return p.returncode, p.stdout, p.stderr
    except Exception as e:
        return 99, "", str(e)


def get_version(serial=None):
    adb = shutil.which("adb")
    if not adb:
        print("UNKNOWN - adb not found in PATH")
        sys.exit(3)

    base = [adb]
    if serial:
        base += ["-s", serial]

    rc, out, err = run(base + ["shell", "dumpsys", "package", PKG])
    if rc != 0:
        print(f"UNKNOWN - failed to query package via adb: {err.strip() or out.strip()}")
        sys.exit(2)

    # Try common fields first
    for line in out.splitlines():
        line = line.strip()
        m = re.search(r"versionName=([^\s]+)", line)
        if m:
            return m.group(1)

    # Fallback: parse package dump more loosely
    m = re.search(r"versionName=([^\s]+)", out)
    if m:
        return m.group(1)

    return None


def main():
    ap = argparse.ArgumentParser(description="Check Chrome on Android for CVE-2026-11175")
    ap.add_argument("--serial", help="adb device serial", default=None)
    args = ap.parse_args()

    version = get_version(args.serial)
    if not version:
        print("UNKNOWN - could not determine Chrome version")
        sys.exit(2)

    parsed = parse_version(version)
    if not parsed:
        print(f"UNKNOWN - unrecognized version format: {version}")
        sys.exit(2)

    if cmp_ver(parsed, FIXED) < 0:
        print(f"VULNERABLE - {PKG} version {version} is older than 149.0.7827.53")
        sys.exit(1)
    else:
        print(f"PATCHED - {PKG} version {version} is 149.0.7827.53 or newer")
        sys.exit(0)


if __name__ == "__main__":
    main()
07 · Bottom Line

If you remember one thing.

TL;DR
Monday morning: pull an EMM inventory of com.android.chrome on Android, identify devices below 149.0.7827.53, and confirm Managed Play auto-update is actually working. For a MEDIUM verdict there is no noisgate mitigation SLA — go straight to the 365-day remediation window; that means no emergency block is required unless you have separate phishing activity hitting mobile users, but you should still clear stale versions through normal mobile patch operations and complete the browser upgrade within the noisgate remediation SLA of 365 days.

Sources

  1. Chrome Releases blog
  2. VulDB entry for CVE-2026-11175
  3. GovCERT HK alert for Chrome 149 vulnerabilities
  4. CISA Known Exploited Vulnerabilities Catalog
  5. FIRST EPSS API documentation
  6. FIRST EPSS data and stats
  7. Google Chrome Help: Update Chrome on Android
  8. Google Chrome on Google Play
Peer Review

What defenders are saying.

Submit a review attribution: handle + country only
0 flags selected · stored anonymously
Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.