← Back to Feed CACHED · 2026-05-17 09:42:19 · cache_key CVE-2025-29912
CVE-2026-11178 · CWE-346 · Disclosed 2026-06-04

Insufficient policy enforcement in WebView in Google Chrome on Android prior to 149

ASSESSED — NOISGATE V0.5
Vendor
Reassessed
Verdict:
01 · The Real Story

This is a peephole in a moving car, not a stolen master key

CVE-2026-11178 is a policy bypass in Android WebView/Chrome that can let a remote attacker leak cross-origin data after a user opens a crafted page on a vulnerable Android device. The affected range is Google Chrome on Android / Android WebView prior to 149.0.7827.53, with the fix landing in the Chrome 149 stable train. In practice, this means browser sessions and app-embedded WebView sessions on Android are the exposure surface, not servers.

The vendor's MEDIUM 4.3 is basically fair on paper, but in enterprise prioritization this lands a bit lower because the attack chain is full of friction: user interaction is required, the impact is confidentiality-only and explicitly low, there is no RCE, no privilege gain, no persistence, no KEV listing, and EPSS is near the floor. The only real amplifier is that Android WebView is everywhere, so if you have sensitive SSO or internal web apps routinely used from managed Android devices, it deserves cleanup — just not emergency treatment.

"Broad Android reach, but this is still a click-required data leak with no code exec, no KEV, and thin real-world weaponization."
02 · The Attack Path

3 steps from start to impact.

STEP 01

Deliver a crafted page with a lure

The attacker needs the victim to open attacker-controlled web content in Chrome for Android or an app that embeds Android WebView. The practical delivery tools are the boring ones: phishing links in email, chat, SMS, QR codes, ads, or deep links into an app web surface. Reference surface: Android WebView / Chrome rendering engine.
Conditions required:
  • Victim uses an Android device with vulnerable Chrome/WebView below 149.0.7827.53
  • Victim opens attacker-controlled content
  • The target workflow actually uses Chrome or an embedded WebView
Where this breaks in practice:
  • Email gateway, mobile threat defense, link protection, and user skepticism cut down lure success
  • Managed Android fleets often auto-update Chrome/WebView through Google Play, shrinking the vulnerable population quickly
  • This is not a server-side bug; there is nothing internet-facing to mass-hit directly
Detection/coverage: Traditional vuln scanners have poor direct coverage because this is a client-side mobile component. Detection is mostly via MDM inventory, Play/managed-app version reporting, or adb/device shell checks.
STEP 02

Reach a sensitive cross-origin target in-session

The policy bypass only matters if the victim is also authenticated to a valuable target origin, such as SSO, internal portals, HR apps, or SaaS dashboards viewed from the same device. The attacker is effectively trying to abuse browser/WebView trust boundaries to read data that should stay isolated by same-origin policy or related policy enforcement. Reference surface: Chromium WebView policy enforcement path.
Conditions required:
  • Victim is logged into a target site or app-backed web session
  • The leaked data is present and reachable in the vulnerable browsing context
  • The target workflow is used on mobile, not just desktop
Where this breaks in practice:
  • Many enterprise-sensitive apps are desktop-heavy or blocked on mobile
  • Short session lifetimes, re-auth prompts, and conditional access reduce the useful window
  • Some apps push users out of embedded WebView into a hardened external browser flow
Detection/coverage: Network telemetry may only show normal HTTPS browsing. You are unlikely to get a clean IDS signature for 'cross-origin leak' without app/browser-specific telemetry.
STEP 03

Exfiltrate low-grade cross-origin data

If exploitation succeeds, the attacker gets some cross-origin data leakage, not arbitrary code execution and not full device compromise. The disclosed CVSS vector and confidentiality rating both indicate the expected impact is limited rather than total session theft or broad account takeover by default. Weaponized follow-on abuse depends on exactly what data was exposed in the victim's browsing session.
Conditions required:
  • The bug yields data useful enough to matter
  • The attacker can receive exfiltrated output from the crafted page
  • The leaked information is not already protected by additional application-layer controls
Where this breaks in practice:
  • Impact is explicitly C:L/I:N/A:N — that is a narrow blast radius compared with real browser RCEs
  • Application-layer encryption, token binding, or step-up auth can make leaked artifacts less reusable
  • No public exploitation wave or mature public exploit ecosystem was found
Detection/coverage: There is no strong signature-based scanner story here. Best signals are version inventory plus anomalous browsing/lure telemetry from mobile security and identity systems.
03 · Intelligence Metadata

The supporting signals.

In-the-wild statusNo public in-the-wild evidence found in the sources reviewed. It is not listed in CISA KEV and Google did not flag this issue as actively exploited.
Proof-of-concept availabilityNo credible public PoC or exploit repo found in the searches reviewed. That matters because browser policy-bypass bugs often need implementation details to become reliably weaponized.
EPSS0.00011 from the supplied intel — effectively near the floor. Percentile was not provided in the supplied intel, but the absolute score indicates very low short-term exploit likelihood.
KEV statusNot KEV-listed. CISA's Known Exploited Vulnerabilities Catalog has no entry for CVE-2026-11178.
CVSS vector meaningCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N means remote and easy to trigger once a user clicks, but the impact is low confidentiality only with no integrity or availability effect.
Affected versionsGoogle Chrome on Android / Android WebView prior to 149.0.7827.53. This is an Android client/browser issue, not a desktop Chrome-only issue and not a server workload issue.
Fixed versionsPatched in 149.0.7827.53 and later. For Android estates, verify both com.google.android.webview and com.android.chrome because provider selection varies by device and Android version.
Exposure and scanning realityNot internet-scannable in the normal Shodan/Censys sense because there is no listening service to enumerate. Exposure must be measured from fleet inventory/MDM, not external attack-surface management.
Disclosure timingDisclosed 2026-06-04 per supplied intel; Google promoted Chrome 149 stable on 2026-06-02 and Chrome for Android 149 rollout began on 2026-05-28.
Reporter / source of findingGoogle's stable-channel bulletin attributes CVE-2026-11178 as "Reported by Google" with issue tracking tied to the Chrome 149 security rollup.
04 · The Call

noisgate verdict.

Final Verdict
DOWNGRADED to LOW (3.2/10)

The decisive factor is attack-chain friction: this bug needs a victim on Android to open attacker content in a vulnerable Chrome/WebView context and then have useful cross-origin data present to steal. That is a long way from the mass-exploitable, low-friction browser bugs that justify emergency patching, especially with confidentiality-only, low-impact outcomes and no exploitation evidence.

HIGH Exploit-prevalence assessment
MEDIUM Blast-radius assessment

Why this verdict

  • Downgrade for user interaction and client-side reachability: UI:R means the attacker does not get a direct shot at the target; they need a click or equivalent user navigation into attacker content.
  • Downgrade for post-condition dependence: exploitation only matters if the victim is simultaneously authenticated to a valuable origin in the same browsing environment. That implies a narrower real-world target set than the vendor score alone suggests.
  • Downgrade for limited impact: the vendor vector is C:L/I:N/A:N. No code execution, no sandbox escape, no persistence, no integrity loss, no service impact.
  • Downgrade for threat intel absence: no KEV listing, no cited active exploitation, and the supplied EPSS 0.00011 all push hard against urgent prioritization.
  • Slight upward pressure for ubiquity: Android WebView is everywhere, including enterprise mobile apps, so this is not ignorable if your mobile fleet regularly hits SSO, SaaS, or internal portals.

Why not higher?

This is not a browser RCE, sandbox escape, auth bypass, or account-compromise primitive by itself. The chain requires user navigation plus a valuable logged-in cross-origin target, and even then the expected outcome is only limited data leakage. Without KEV, PoC traction, or stronger impact, HIGH would be inflationary.

Why not lower?

It is still a remote, no-privileges-required bug in a massively deployed mobile browsing component. For organizations with heavy Android usage, especially field staff using internal portals or SSO-backed SaaS from mobile apps, cross-origin leaks can still expose useful business data. That keeps it above IGNORE.

05 · Compensating Control

What to do — in priority order.

  1. Force auto-updates for Chrome and WebView — Use MDM/Play management to keep com.android.chrome and com.google.android.webview on current builds. For a LOW verdict there is no SLA; treat as backlog hygiene and fold this into the next routine mobile browser/app update cycle.
  2. Inventory mobile web usage for sensitive apps — Identify which internal and SaaS apps are commonly accessed through Android Chrome or embedded WebView, then focus validation and upgrade follow-up there first. For LOW, there is no SLA; do this as part of normal mobile exposure mapping rather than a fire drill.
  3. Prefer hardened browser flows for high-value auth — Where app design allows it, push high-value authentication and sensitive workflows into managed external browser flows instead of arbitrary in-app WebViews. For LOW, treat this as architecture hardening during the next app/security review cycle.
  4. Tighten identity controls on mobile sessions — Short session lifetimes, conditional access, and step-up auth reduce the resale value of whatever small amount of cross-origin data might leak. For LOW, apply only where your mobile threat model already justifies it; this is not a reason to launch disruptive controls fleet-wide.
What doesn't work
  • A network perimeter scan will not help; this is a client-side Android component, not a listening service.
  • A WAF does not reliably stop this class of bug because the vulnerable logic lives in the victim's browser/WebView, not on your web server edge.
  • Patching desktop Chrome only misses the issue; the affected surface here is Android Chrome / Android WebView.
06 · Verification

Crowdsourced verification payload.

Run this from an auditor workstation that has adb installed and connectivity to the Android device, for example ./check_cve_2026_11178.sh <device-serial>. It needs USB debugging or equivalent device shell access; no root is required, but standard adb shell access is.

noisgate-verify.sh
BASHREAD-ONLYSAFE
#!/usr/bin/env bash
# check_cve_2026_11178.sh
# Determine whether an Android device is vulnerable to CVE-2026-11178
# by checking Chrome/WebView package versions against 149.0.7827.53.
#
# Usage:
#   ./check_cve_2026_11178.sh <device-serial>
# Exit codes:
#   0 = PATCHED
#   1 = VULNERABLE
#   2 = UNKNOWN / usage / connectivity problem

set -euo pipefail

FIXED_VERSION="149.0.7827.53"
SERIAL="${1:-}"

if [[ -z "$SERIAL" ]]; then
  echo "UNKNOWN - usage: $0 <device-serial>"
  exit 2
fi

if ! command -v adb >/dev/null 2>&1; then
  echo "UNKNOWN - adb not found in PATH"
  exit 2
fi

if ! adb -s "$SERIAL" get-state >/dev/null 2>&1; then
  echo "UNKNOWN - device $SERIAL not reachable via adb"
  exit 2
fi

trim_cr() {
  tr -d '\r'
}

get_pkg_version() {
  local pkg="$1"
  adb -s "$SERIAL" shell dumpsys package "$pkg" 2>/dev/null | trim_cr | awk -F= '/versionName=/{print $2; exit}'
}

ver_ge() {
  # returns 0 if $1 >= $2
  local a="$1" b="$2"
  [[ "$(printf '%s\n%s\n' "$a" "$b" | sort -V | tail -n1)" == "$a" ]]
}

WEBVIEW_INFO="$(adb -s "$SERIAL" shell dumpsys webviewupdate 2>/dev/null | trim_cr || true)"
CURRENT_PROVIDER_LINE="$(printf '%s\n' "$WEBVIEW_INFO" | grep -Ei 'Current WebView package|Current WebView package \(name, version\)|currentWebViewPackage' | head -n1 || true)"

PROVIDER_PKG=""
PROVIDER_VER=""

if [[ -n "$CURRENT_PROVIDER_LINE" ]]; then
  PROVIDER_PKG="$(printf '%s\n' "$CURRENT_PROVIDER_LINE" | grep -Eo 'com\.[A-Za-z0-9._]+' | head -n1 || true)"
  PROVIDER_VER="$(printf '%s\n' "$CURRENT_PROVIDER_LINE" | grep -Eo '[0-9]+(\.[0-9]+){3,}' | head -n1 || true)"
fi

if [[ -z "$PROVIDER_PKG" ]]; then
  for candidate in com.google.android.webview com.android.chrome; do
    if ver="$(get_pkg_version "$candidate")" && [[ -n "$ver" ]]; then
      PROVIDER_PKG="$candidate"
      PROVIDER_VER="$ver"
      break
    fi
  done
fi

CHROME_VER="$(get_pkg_version com.android.chrome || true)"
WEBVIEW_VER="$(get_pkg_version com.google.android.webview || true)"

if [[ -z "$PROVIDER_VER" && -z "$CHROME_VER" && -z "$WEBVIEW_VER" ]]; then
  echo "UNKNOWN - unable to determine Chrome/WebView version"
  exit 2
fi

# Prefer the active provider when available.
CHECK_VER="$PROVIDER_VER"
CHECK_PKG="$PROVIDER_PKG"

if [[ -z "$CHECK_VER" ]]; then
  if [[ -n "$WEBVIEW_VER" ]]; then
    CHECK_VER="$WEBVIEW_VER"
    CHECK_PKG="com.google.android.webview"
  else
    CHECK_VER="$CHROME_VER"
    CHECK_PKG="com.android.chrome"
  fi
fi

if ver_ge "$CHECK_VER" "$FIXED_VERSION"; then
  echo "PATCHED - $CHECK_PKG version $CHECK_VER >= $FIXED_VERSION"
  exit 0
else
  echo "VULNERABLE - $CHECK_PKG version $CHECK_VER < $FIXED_VERSION"
  exit 1
fi
07 · Bottom Line

If you remember one thing.

TL;DR
Monday morning, have mobility/endpoint management inventory all Android devices using Chrome/WebView below 149.0.7827.53, then confirm whether those users access SSO, internal portals, or sensitive SaaS from mobile. Because this is LOW, there is no noisgate mitigation SLA and no urgent temporary control requirement; treat it as backlog hygiene and clear stale versions in the next normal mobile maintenance cycle. For the same reason there is no noisgate remediation SLA beyond backlog hygiene for LOW findings, but don't let that become neglect: close it during routine browser/app update operations and document exceptions for devices with disabled Play updates or stranded app stores.

Sources

  1. Google Chrome Releases - Stable Channel Update for Desktop (Chrome 149 security fixes)
  2. Google Chrome Releases - Chrome for Android Update (Chrome 149 rollout start)
  3. CISA Known Exploited Vulnerabilities Catalog
  4. FIRST EPSS overview
  5. Android Developers - Simplify your WebView implementation with Jetpack Webkit
  6. Android Developers - Embedding web content into your app as primary or supporting content
  7. Android Developers - Build web apps in WebView
  8. SecurityWeek - Chrome 149 Patches 429 Vulnerabilities
Peer Review

What defenders are saying.

Submit a review attribution: handle + country only
0 flags selected · stored anonymously
Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.