← Back to Feed CACHED · 2026-05-17 09:42:19 · cache_key CVE-2025-29912
CVE-2026-11226 · CWE-346 · Disclosed 2026-06-04

Insufficient policy enforcement in PreviewTab in Google Chrome on Android prior to 149

ASSESSED — NOISGATE V0.5
Vendor
Reassessed
Verdict:
01 · The Real Story

This is less a front-door break-in than a trick that only works if the user opens the right side window and taps in just the right pattern

CVE-2026-11226 is an *insufficient policy enforcement* bug in PreviewTab on Google Chrome for Android. Per NVD, it affects Chrome on Android prior to 149.0.7827.53 and lets a remote attacker use a crafted HTML page to bypass the browser's same-origin policy if the victim also performs specific UI gestures inside the affected preview flow. That makes this a client-side browser logic flaw with a narrow trigger path, not a general Chrome-on-Android RCE or a server-reachable exposure.

The vendor baseline of MEDIUM 6.5 already overstates how much of an enterprise fleet is realistically reachable. The decisive friction is not just generic UI:R; it is specific UI gestures inside a specific Android-only PreviewTab path, which sharply constrains weaponization, scale, and reliability. Chromium's own record labels the issue's internal security severity as Low, and that matches real-world patch priority better than the CVSS headline.

"This is a narrow Android Chrome UX bug, not a fleet-wide fire drill."
02 · The Attack Path

4 steps from start to impact.

STEP 01

Deliver a lure page

The attacker needs a victim to open a crafted HTML page in Chrome on Android. In practice the delivery tool is commodity phishing infrastructure, malvertising, or a link in chat/email; there is no indication of a self-propagating mechanism or server-side reachability. Reference: NVD.
Conditions required:
  • Victim uses Chrome on Android
  • Victim is on a vulnerable version earlier than 149.0.7827.53
  • Victim opens attacker-controlled content
Where this breaks in practice:
  • Android-only scope excludes desktop Chrome and non-Chrome mobile browsers
  • Most enterprises already have mobile app auto-update via Google Play or MDM
  • Email gateways, safe-link rewriting, and user training reduce successful lure opens
Detection/coverage: Good coverage for the lure stage via mail/web telemetry; poor direct scanner coverage because this is a client-side browser-state bug, not a remotely fingerprintable service.
STEP 02

Steer the user into PreviewTab

The exploit path depends on PreviewTab rather than ordinary page rendering. That means the attacker must get the victim into the specific Chrome UI flow where preview handling occurs, likely via app/Chrome interaction or link-preview behavior. Reference: CVE text in NVD.
Conditions required:
  • PreviewTab workflow must be reachable from the victim's browsing context
  • Victim must interact with that workflow rather than a normal tab open
Where this breaks in practice:
  • This is a niche feature path, not every page load
  • Many campaigns fail because users do not enter the required preview state
  • Exploit reliability drops across OEM Android builds and UX variations
Detection/coverage: Limited. MTD/EDR on mobile may record Chrome deep-link/app activity, but most vuln scanners cannot validate PreviewTab reachability.
STEP 03

Collect the required UI gestures

The CVE explicitly requires that the attacker convince the user to engage in specific UI gestures. That is materially different from a one-click browser bug: the exploit needs a cooperative victim performing the right gestures at the right time, which compounds the failure rate for mass exploitation. Reference: NVD and Chromium's severity guidance on unusually high user interaction lowering severity.
Conditions required:
  • Victim must perform the necessary gestures
  • The gestures must occur in the vulnerable preview state
Where this breaks in practice:
  • Extra interaction beyond simply opening a link
  • Modern phishing resistance breaks down the funnel before this step
  • Small UI or timing changes can kill exploit reliability
Detection/coverage: Almost no signature-based scanner coverage. Detection is mostly indirect through suspicious browsing journeys, user reports, or mobile telemetry.
STEP 04

Abuse policy failure to break origin boundaries

If the state and gestures line up, PreviewTab can mishandle origin policy enforcement and allow a same-origin policy bypass. Based on the CVE text and vector, the likely security outcome is cross-origin integrity confusion or actioning within another origin context, rather than code execution or broad data exfiltration; that is an inference from the published description plus C:N/I:H/A:N. References: NVD and Chrome's Site Isolation overview.
Conditions required:
  • Victim must still be in the vulnerable PreviewTab state
  • The crafted page must successfully drive the origin confusion
Where this breaks in practice:
  • Impact appears limited to a browser security-boundary bypass, not device compromise
  • Site Isolation and other browser hardening reduce blast radius even when SOP logic fails
  • No public PoC or in-the-wild exploitation evidence currently lowers attacker confidence
Detection/coverage: No strong network signature. Browser crash telemetry is unlikely to help because this is a logic bug, not memory corruption.
03 · Intelligence Metadata

The supporting signals.

In-the-wild statusNo public evidence of active exploitation located in vendor or CISA sources at time of review.
KEV statusNot listed in CISA's Known Exploited Vulnerabilities catalog.
Proof-of-conceptNo public PoC found in the reviewed sources; Chromium bug details are access-restricted.
EPSS0.0001 from the supplied intel, which is effectively floor-level exploitation probability.
Vendor / platform severityCISA-ADP shows 6.5 MEDIUM in NVD, but the CVE description also states Chromium security severity: Low.
CVSS vector meaningAV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N means remote and unauthenticated, but user interaction is required and the published impact is integrity-only, with no confidentiality or availability impact claimed.
Affected versionsGoogle Chrome on Android prior to 149.0.7827.53.
Fixed versionsTreat 149.0.7827.53 or later as patched for this CVE; Android release trains may ship a later patched build number while still containing the fix.
Scanning / exposure dataInternet-wide exposure scanning is largely irrelevant here. This is a client-side mobile browser UX bug, so Shodan/Censys-style exposure counting does not meaningfully measure reachable population.
DisclosurePublicly disclosed 2026-06-04; reporter identity is not public in the reviewed sources.
04 · The Call

noisgate verdict.

Final Verdict
DOWNGRADED to LOW (3.4/10)

The single biggest downward driver is the exploit chain's specific-gesture requirement inside an Android-only PreviewTab path. That makes this a narrow, unreliable client-side attack that does not scale cleanly across a 10,000-device fleet, even though the abstract security boundary involved is real.

HIGH Affected version range and vendor/CISA metadata
MEDIUM Real-world exploitability downgrade based on UI-path friction
LOW Exact post-bypass impact details because the Chromium issue is not public

Why this verdict

  • Downgrade for attacker position: this is remote but only through a victim-driven mobile browsing session, not a service an attacker can hit directly at internet scale.
  • Downgrade for prerequisite stacking: the chain requires Chrome on Android + vulnerable build + PreviewTab path + specific UI gestures. Each prerequisite cuts the reachable population and reliability.
  • Downgrade for control coverage: modern email security, safe browsing, mobile threat defense, and app auto-update all act before or during the only realistic exploit path.
  • Downgrade for blast radius: published impact is a browser origin-policy bypass, not OS-level code execution, privilege escalation, or durable device takeover.
  • Downgrade for threat intel: no KEV listing, no public exploitation, no public PoC, and near-zero EPSS argue against emergency prioritization.

Why not higher?

This does not deserve MEDIUM-or-higher operational handling because it is not broadly reachable or reliably weaponizable. A same-origin policy bypass sounds serious in the abstract, but the Android-only scope and the required PreviewTab gesture choreography are exactly the kind of compounding frictions that should push a patch team downward, not upward.

Why not lower?

This is still a real browser security-boundary failure, not a cosmetic bug. If the attacker lands the right user journey on a vulnerable Android device, origin confusion can still enable meaningful web-session abuse, so it should not be ignored outright.

05 · Compensating Control

What to do — in priority order.

  1. Enforce Chrome auto-update on managed Android — Use Google Play managed app policy or your MDM to require current Chrome builds so vulnerable versions age out naturally. For a LOW verdict there is no mitigation SLA under noisgate, so treat this as backlog hygiene and keep the fleet on patched app baselines before the 365-day remediation window closes.
  2. Prefer managed browser channels — Keep enterprise Android devices on approved browser packages with update visibility in MDM. This reduces the long tail of stranded versions and is the most practical defense for a client-side browser bug when direct network shielding is weak.
  3. Block obvious lure domains fast — Use email/web filtering and Safe Browsing-integrated controls to kill malicious landing pages before users ever reach the required PreviewTab flow. Even without a formal mitigation SLA for LOW, this is worth doing opportunistically when threat intel identifies active lure infrastructure.
  4. Inventory vulnerable package versions — Query com.android.chrome version data from MDM or adb so you can identify Android devices below 149.0.7827.53. For this severity, do the inventory work as part of normal monthly mobile-app hygiene rather than as an interruption-driven campaign.
What doesn't work
  • A perimeter vulnerability scanner will not help much; this is not a remotely enumerable service flaw.
  • Desktop Chrome patch status is not a reliable proxy; the CVE is Android-specific and lives in a mobile UI path.
  • WAF rules do not solve the core problem because exploitation happens inside the victim browser's preview workflow after the page is loaded.
06 · Verification

Crowdsourced verification payload.

Run this on an auditor workstation with adb installed and USB/network debugging access to the Android device. Invoke it as python3 check_cve_2026_11226.py or python3 check_cve_2026_11226.py SERIAL123; it needs permission to talk to adb, but not root on the phone.

noisgate-verify.py
PYTHONREAD-ONLYSAFE
#!/usr/bin/env python3
# check_cve_2026_11226.py
# Verify whether Google Chrome on Android is vulnerable to CVE-2026-11226.
# Exit codes:
#   0 = PATCHED
#   1 = VULNERABLE
#   2 = UNKNOWN / error

import re
import subprocess
import sys

PACKAGE = 'com.android.chrome'
FIXED = '149.0.7827.53'


def run(cmd):
    p = subprocess.run(cmd, stdout=subprocess.PIPE, stderr=subprocess.PIPE, text=True)
    return p.returncode, p.stdout.strip(), p.stderr.strip()


def parse_version(v):
    m = re.match(r'^(\d+)\.(\d+)\.(\d+)\.(\d+)$', v.strip())
    if not m:
        return None
    return tuple(int(x) for x in m.groups())


def cmp_ver(a, b):
    return (a > b) - (a < b)


def adb_base(serial=None):
    base = ['adb']
    if serial:
        base += ['-s', serial]
    return base


def main():
    serial = sys.argv[1] if len(sys.argv) > 1 else None
    base = adb_base(serial)

    rc, out, err = run(base + ['get-state'])
    if rc != 0 or 'device' not in out:
        print('UNKNOWN: adb cannot reach a device')
        if err:
            print(err)
        sys.exit(2)

    rc, out, err = run(base + ['shell', 'dumpsys', 'package', PACKAGE])
    if rc != 0 or not out:
        print(f'UNKNOWN: unable to query package {PACKAGE}')
        if err:
            print(err)
        sys.exit(2)

    m = re.search(r'versionName=([^\s]+)', out)
    if not m:
        print('UNKNOWN: versionName not found for com.android.chrome')
        sys.exit(2)

    installed = m.group(1).strip()
    inst_v = parse_version(installed)
    fixed_v = parse_version(FIXED)

    if inst_v is None or fixed_v is None:
        print(f'UNKNOWN: could not parse version: installed={installed}')
        sys.exit(2)

    print(f'Installed Chrome version: {installed}')
    print(f'Fixed version threshold: {FIXED}')

    if cmp_ver(inst_v, fixed_v) < 0:
        print('VULNERABLE')
        sys.exit(1)
    else:
        print('PATCHED')
        sys.exit(0)


if __name__ == '__main__':
    main()
07 · Bottom Line

If you remember one thing.

TL;DR
Monday morning, do not preempt the week for this one. Fold it into your managed Android browser hygiene: inventory devices running com.android.chrome below 149.0.7827.53, confirm auto-update is working, and let normal mobile app maintenance close the gap. Because this is a LOW reassessment, there is no noisgate mitigation SLA and noisgate remediation SLA is backlog hygiene, so document the rationale now and complete patching in routine app-update cadence rather than launching an urgent enterprise-wide response.

Sources

  1. NVD CVE record
  2. Chrome Releases - Chrome for Android Update
  3. Chrome Releases - Early Stable Update for Desktop
  4. Chrome 149 release notes
  5. CISA Known Exploited Vulnerabilities Catalog
  6. Chromium severity guidelines
  7. Chromium site isolation overview
  8. Chromium security release management
Peer Review

What defenders are saying.

Submit a review attribution: handle + country only
0 flags selected · stored anonymously
Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.