CVE-2026-11275 · Inappropriate implementation in Page Info in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker who had compromised t

01 · The Real Story

This is finding the spare key after you already broke into the house

CVE-2026-11275 is an *Android Chrome* flaw in the Page Info surface that lets an attacker who has already compromised the renderer process bypass navigation restrictions using a crafted HTML page. The affected range is Google Chrome on Android before 149.0.7827.53; the user-provided disclosure date is 2026-06-05. This is not a first-stage browser RCE by itself, and it is not an OS sandbox escape by itself.

The vendor's MEDIUM 6.5 is too generous for enterprise patch triage because the decisive prerequisite is enormous: the attacker must first land a separate renderer compromise. That means this bug is mostly useful as a *post-exploitation chain component* inside Chrome, not as a broad internet-scale entry point. Chrome's own upstream labeling reflected that reality by calling the Chromium security severity Low.

"This is a chain extender, not an entry bug: it matters only after the attacker already owns Chrome's renderer."

02 · The Attack Path

4 steps from start to impact.

STEP 01

Lure the victim onto attacker-controlled web content

The attacker needs the target to open a crafted page in vulnerable Chrome on Android. The delivery mechanism is ordinary web content; no exposed service or listening port is involved. Tooling here is just a phishing page, malvertising redirect, or exploit-hosting site rather than a specialized CVE-2026-11275 exploit kit.

Conditions required:

Victim uses Chrome on Android below 149.0.7827.53
Victim browses attacker-controlled or attacker-influenced content
User interaction is required

Where this breaks in practice:

This is client-side and user-driven, so there is no mass unauthenticated network reachability
Safe Browsing, link filtering, and user behavior reduce first contact volume

Detection/coverage: Traditional perimeter scanners will not find this. Detection comes from mobile browsing telemetry, web filtering logs, and managed-browser/version inventory.

STEP 02

Land a separate renderer compromise first

The attacker must already have code execution or equivalent control inside Chrome's renderer process through a different vulnerability or exploit chain. In practice this means a separate memory-corruption or logic bug does the real heavy lifting, while CVE-2026-11275 only becomes relevant afterward. Tooling would be a custom browser exploit chain or commercial exploit framework; I found no public PoC for CVE-2026-11275 itself.

Conditions required:

A second vulnerability must be available to compromise the renderer
The renderer exploit must work on the target Chrome/Android combination

Where this breaks in practice:

This is the dominant downgrade factor: requiring a prior renderer compromise pushes the bug out of the initial-access bucket
Modern browser hardening, site isolation, crash telemetry, and exploit mitigations raise the cost substantially
Public reporting reviewed here does not show in-the-wild abuse of this CVE

Detection/coverage: EDR is limited on mobile, but browser crash spikes, MTD telemetry, exploit protection alerts, and incident artifacts from the first-stage renderer bug are where defenders would see activity.

STEP 03

Abuse Page Info to bypass navigation restrictions

Once inside the renderer, the attacker uses the vulnerable Page Info implementation to sidestep navigation restrictions via crafted HTML. That turns a renderer foothold into additional control over browser navigation behavior. The weaponized component is the malicious page plus the already-running renderer exploit chain, not a standalone network exploit for this CVE.

Conditions required:

Chrome Android build is still vulnerable
Attack path reaches the Page Info code path
The crafted page successfully triggers the flawed navigation logic

Where this breaks in practice:

The bug is Android-specific, which trims affected enterprise population compared with all-platform Chrome issues
Feature-specific logic bugs are often brittle across versions and device variants

Detection/coverage: Signature-based vulnerability scanners usually report only version exposure. Runtime detection is weak unless you have browser telemetry or forensic visibility on suspicious navigation behavior.

STEP 04

Exploit the gained browser-integrity foothold

The likely business impact is browser trust and integrity abuse: forced or restricted-flow navigation, spoofing opportunities, or manipulation of web interactions after the renderer is already hostile. That is materially worse than a harmless UI bug, but it still falls short of direct device compromise. The attacker still needs a meaningful follow-on objective such as credential phishing or workflow manipulation.

Conditions required:

A target workflow where forced navigation or browser trust matters
Victim remains engaged long enough for the follow-on action

Where this breaks in practice:

No evidence reviewed shows direct sandbox escape, arbitrary app install, or turnkey data theft from this CVE alone
Blast radius is primarily the current browser session or user workflow, not wholesale enterprise takeover

Detection/coverage: User reports, anomalous navigation telemetry, identity-provider sign-in anomalies, and phishing detections are more realistic than host-based CVE-specific detections.

03 · Intelligence Metadata

The supporting signals.

In-the-wild status	No confirmed active exploitation found in reviewed public sources, and the user-provided KEV status is No.
KEV status	Not listed in the CISA KEV catalog as reviewed.
PoC availability	No public PoC located for CVE-2026-11275 specifically. That matters because exploitation already depends on a separate renderer-compromise bug.
EPSS	User-provided EPSS is 0.0002, which is extremely low. I did not independently verify the exact percentile from FIRST in the sources reviewed.
CVSS interpretation	`AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N` looks scarier than reality because `PR:N` hides the practical prerequisite: the description says the attacker must have already compromised the renderer process.
Affected versions	Google Chrome on Android prior to 149.0.7827.53.
Fixed versions	Vendor fix point is 149.0.7827.53 or later for Chrome on Android. Downstream Linux package ecosystems also show backported Chromium package fixes, e.g. openSUSE Tumbleweed `chromium >= 149.0.7827.53-2.1`.
Vendor vs upstream severity	User-provided vendor severity is MEDIUM 6.5, but the reviewed upstream text reports Chromium security severity: Low.
Exposure/scanning reality	Not meaningfully internet-scannable. Shodan/Censys/FOFA-style exposure counts are largely irrelevant because this is a client-side Android browser bug, not a remotely exposed server daemon.
Disclosure / reporting	Public disclosure date provided is 2026-06-05. I did not find a public researcher credit in the sources reviewed.

04 · The Call

noisgate verdict.

Final Verdict

↓ DOWNGRADED to LOW (3.4/10)

The single biggest severity suppressor is the requirement for a prior renderer compromise. That means CVE-2026-11275 is not a realistic first-hop enterprise intrusion path; it is a narrow browser chain enhancer whose reachable population and standalone blast radius are both limited.

HIGH Downgrade driven by prerequisite analysis

MEDIUM Public exploitability and PoC availability assessment

MEDIUM Version/fix mapping for Android Chrome

Why this verdict

Massive prerequisite downgrade: the attacker must *already* have compromised Chrome's renderer process, which implies a separate exploit chain and pushes this out of the initial-access bucket.
Reachability is narrow: this is Android Chrome only, user-driven, and client-side; there is no internet-exposed service to spray at scale across your estate.
Threat signals are weak: no KEV listing, no confirmed public in-the-wild exploitation found, no public PoC found, and the user-provided EPSS of 0.0002 is extremely low.

Why not higher?

A higher rating would require either evidence of active exploitation, a reliable public exploit chain, or a bug that stands on its own as an entry point. This one does none of that. The need for an existing renderer foothold is compounding downward pressure because it assumes the attacker has already cleared the hardest part.

Why not lower?

It is still a real security boundary failure inside one of the most widely deployed browsers on mobile, and integrity-impact bugs in browser navigation can support phishing or workflow abuse. If an actor already has a renderer exploit, this bug can improve the quality of that chain, so it is not ignorable noise.

05 · Compensating Control

What to do — in priority order.

Enforce Chrome auto-update on managed Android — Use EMM / managed Google Play policy to keep Chrome on current stable so vulnerable builds age out naturally. For a LOW verdict, there is no SLA beyond backlog hygiene, so fold this into the normal mobile app maintenance cycle rather than emergency work.
Block stale browser versions from high-risk workflows — Apply conditional access or web access policy for sensitive internal apps where feasible, especially for identity, finance, and admin portals. This reduces the value of browser-integrity abuse and can be rolled into your normal policy-review cycle because there is no urgent mitigation clock here.
Reduce first-stage browser exploit exposure — Keep Safe Browsing protections enabled, restrict sideloading, and use mobile threat defense or secure web gateway controls where available. The best defense here is stopping the *separate renderer compromise* that this CVE depends on.
Inventory Android Chrome laggards — Query your device fleet for versions below 149.0.7827.53 and identify devices not receiving Play updates. Treat remediation as routine backlog hygiene unless new exploitation evidence appears.

What doesn't work

A WAF does not help; the vulnerable component is the client browser, not your web server.
Network IPS signatures are weak value here because the attacker can deliver ordinary web content and the meaningful trigger happens *after* a renderer compromise inside the browser.
MFA does not prevent the vulnerability itself; it only reduces damage in some phishing-style follow-on scenarios.

06 · Verification

Crowdsourced verification payload.

Run this from an auditor workstation that has adb access to the target Android device; no root is required, but the device must allow ADB/managed debugging. Invoke it as ./check_cve_2026_11275.sh <device-serial> or, for a single attached device, just ./check_cve_2026_11275.sh.

noisgate-verify.sh

BASHREAD-ONLYSAFE

#!/usr/bin/env bash
# check_cve_2026_11275.sh
# Detects whether Google Chrome on Android is below 149.0.7827.53
# Output: VULNERABLE / PATCHED / UNKNOWN
# Exit codes: 0=PATCHED, 1=VULNERABLE, 2=UNKNOWN

set -u

PKG="com.android.chrome"
FIXED="149.0.7827.53"
SERIAL="${1:-}"
ADB=(adb)

if [[ -n "$SERIAL" ]]; then
  ADB+=( -s "$SERIAL" )
fi

fail_unknown() {
  echo "UNKNOWN: $1"
  exit 2
}

ver_lt() {
  # returns 0 if $1 < $2 using version sort
  local first
  first=$(printf '%s\n%s\n' "$1" "$2" | sort -V | head -n1)
  [[ "$1" != "$2" && "$first" == "$1" ]]
}

command -v adb >/dev/null 2>&1 || fail_unknown "adb not found in PATH"

${ADB[@]} get-state >/dev/null 2>&1 || fail_unknown "no reachable Android device via adb"

pkg_path=$(${ADB[@]} shell pm path "$PKG" 2>/dev/null | tr -d '\r')
[[ -n "$pkg_path" ]] || fail_unknown "Chrome package $PKG not installed or not visible"

version=$(${ADB[@]} shell dumpsys package "$PKG" 2>/dev/null | tr -d '\r' | sed -n 's/.*versionName=\([^ ]*\).*/\1/p' | head -n1)
[[ -n "$version" ]] || fail_unknown "could not determine Chrome versionName"

if ver_lt "$version" "$FIXED"; then
  echo "VULNERABLE: Chrome version $version is below fixed version $FIXED"
  exit 1
else
  echo "PATCHED: Chrome version $version is at or above fixed version $FIXED"
  exit 0
fi

07 · Bottom Line

If you remember one thing.

TL;DR

Monday morning, have your mobility team query managed Android devices for Chrome versions below 149.0.7827.53, make sure Play/EMM auto-update is functioning, and sweep out stranded devices during the next routine browser-update wave. Because this is LOW, there is no noisgate mitigation SLA and no noisgate remediation SLA beyond backlog hygiene; document the downgrade rationale, patch through normal mobile maintenance, and only pull it forward if a separate renderer-compromise campaign or KEV-style exploitation evidence emerges.

Sources

Peer Review

What defenders are saying.

Submit a review attribution: handle + country only

0 flags selected · stored anonymously

Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.