← Back to Feed CACHED · 2026-05-17 09:42:19 · cache_key CVE-2025-29912
CVE-2026-11280 · CWE-20 · Disclosed 2026-06-05

Inappropriate implementation in Signin in Google Chrome on iOS prior to 149

ASSESSED — NOISGATE V0.5
Vendor
Reassessed
Verdict:
01 · The Real Story

This is a fake badge on the receptionist’s desk, not a master key to the building

CVE-2026-11280 is a client-side Chrome for iOS bug in the Signin area that can let a malicious page present deceptive browser UI and mislead a user during a sign-in flow. The affected range is Google Chrome on iOS before 149.0.7827.53; Google’s public release history shows 149.0.7827.26 on May 20, 2026 and 149.0.7827.45 on May 27, 2026, so those builds are definitely in scope. Source descriptions are slightly inconsistent: Google’s June 2026 Chrome security notes list 'insufficient validation of untrusted input in Signin' and Chromium severity Low, while CVE aggregators summarize the impact as UI spoofing on iOS. I am treating those as the same underlying issue.

The vendor/NVD-style MEDIUM 4.3 score is a bit generous for enterprise patch triage. Yes, it is remotely triggerable and needs no prior auth, but this is still a user-interaction-dependent, client-side spoofing bug in a mobile browser app, with no evidence of code execution, sandbox escape, device compromise, or broad tenant blast radius. That puts it below the line for urgent fleet-wide disruption unless your org has a large managed iOS population using Chrome for identity-heavy workflows.

"Real risk is credential bait on managed iPhones, not broad compromise—treat as low-priority mobile browser hygiene."
02 · The Attack Path

4 steps from start to impact.

STEP 01

Deliver a lure page

The attacker needs a user to open a crafted HTML page in Chrome on iOS. There is no public exploit kit or named PoC repository tied to this CVE; operationally this looks like standard phishing delivery, not weaponized memory corruption.
Conditions required:
  • Target uses Chrome on iOS, not just Safari or desktop Chrome
  • Attacker can send a link through email, chat, SMS, QR, or an app deep link
  • User opens the page in the vulnerable app version
Where this breaks in practice:
  • Many enterprises do not standardize on Chrome for iOS
  • Mobile threat defense, DNS filtering, safe browsing, or mail filtering often kill the lure before click
  • App Store auto-update and MDM-managed updates shorten vulnerable dwell time
Detection/coverage: Network scanners will not see this. Coverage comes from MDM/app inventory showing Chrome iOS versions below 149.0.7827.53.
STEP 02

Abuse the Signin UI path

The malicious page must drive the user into a browser-mediated sign-in flow where the vulnerable Signin implementation can present misleading UI. Based on the advisory language, the exploit lives in UI handling rather than memory safety, so the attack depends on shaping what the victim sees and trusts.
Conditions required:
  • Victim reaches a sign-in related workflow
  • The crafted page can trigger or mimic the relevant browser UI state
Where this breaks in practice:
  • The bug appears confined to a narrow UI path rather than every page render
  • Mobile browser chrome changes and small UX differences can make spoofing brittle across devices and locales
Detection/coverage: Little direct host telemetry. Possible signals are suspicious identity prompts immediately after external-link opens, but that is mostly a phishing detection problem.
STEP 03

Harvest user action

The attacker still needs the victim to believe the spoofed prompt and act on it—enter credentials, approve a login, or otherwise trust the fake state. The vulnerability amplifies phishing, but it does not remove the human step.
Conditions required:
  • User interaction is required
  • Victim must trust the spoofed UI enough to continue
Where this breaks in practice:
  • Phishing-resistant MFA, passkeys, and conditional access reduce the value of stolen credentials
  • User training and branded IdP pages still matter because the exploit is not invisible
Detection/coverage: Identity providers may detect impossible travel, unfamiliar device sign-ins, or prompt fatigue patterns after the fact.
STEP 04

Translate spoofing into account abuse

Impact is usually downstream credential theft or session abuse, not device takeover. In enterprise terms, that means the real blast radius depends far more on your identity stack than on the browser bug itself.
Conditions required:
  • Captured secrets or approvals must still work against the target IdP or app
  • No stronger auth control blocks replay or token theft
Where this breaks in practice:
  • FIDO2/passkeys, device compliance checks, and risk-based access policies sharply limit payoff
  • The bug has no built-in path to code execution, persistence, or lateral movement
Detection/coverage: Best detection is in IdP logs, impossible-travel alerts, risky sign-in analytics, and mobile browser version compliance reporting.
03 · Intelligence Metadata

The supporting signals.

In-the-wild statusNo public evidence of active exploitation found; not present in CISA KEV.
Proof-of-concept availabilityNo public PoC repo or exploit write-up found in authoritative sources. This currently looks like a phishing-enabler, not a commoditized exploit.
EPSS0.00025 from the supplied intel; that is effectively near-floor exploit likelihood. Percentile was not confirmed from authoritative source pages during this review.
KEV statusNot KEV-listed as of this assessment; no CISA due date applies.
CVSS vectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N — the important bit is UI:R and only Integrity:L impact, which matches a spoofing/phishing amplifier more than a compromise primitive.
Vendor vs realitySupplied baseline says MEDIUM 4.3, but Google’s June 2026 Chrome security notes tag the bug with Chromium security severity: Low. That mismatch is a strong clue to downgrade.
Affected versionsChrome on iOS before 149.0.7827.53. Google release history shows stable iOS builds 149.0.7827.26 on 2026-05-20 and 149.0.7827.45 on 2026-05-27, both vulnerable.
Fixed version149.0.7827.53 on iOS. There are no distro backports to track here because this is an App Store-distributed mobile app, not a Linux package.
Exposure/scanning realityThis is not internet-scannable in the usual Shodan/Censys sense because the vulnerable surface is a mobile client application. Exposure data must come from MDM/UEM app inventory, not external attack-surface scanning.
Disclosure and reporterPublicly disclosed 2026-06-05; Google’s release notes list the underlying Chrome issue as reported by Google on 2026-04-12.
04 · The Call

noisgate verdict.

Final Verdict
DOWNGRADED to LOW (2.9/10)

The decisive factor is attack-path friction: this bug needs the victim on Chrome for iOS, on a vulnerable version, opening a crafted page, and then trusting spoofed UI enough to act. That is a narrow, post-click phishing amplifier with weak direct blast radius, not a dependable enterprise compromise primitive.

HIGH Severity downgrade driven by required user interaction and limited technical impact
MEDIUM Mapping between Google’s short advisory text and aggregator 'UI spoofing' wording
HIGH No KEV listing or public exploitation evidence at time of review

Why this verdict

  • Downgrade for client-side scope: this hits a mobile browser app on end-user devices, not a server or shared control plane.
  • Downgrade for user interaction: the CVSS UI:R requirement is real here; no click, no exploit path.
  • Downgrade for attacker position realism: although technically unauthenticated remote, the attacker still needs phishing-style delivery and user trust, which modern mail filtering, DNS filtering, Safe Browsing, and user behavior often disrupt.
  • Downgrade for narrow exposure population: only orgs with meaningful managed iOS + Chrome usage are materially exposed; many enterprises are Safari-default or mobile-browser-agnostic.
  • Downgrade for limited blast radius: the bug appears to enable UI spoofing / sign-in deception, not code execution, persistence, lateral movement, or tenant-wide compromise.
  • Downgrade for lack of threat pressure: no KEV entry, no public exploit repo, and a very low supplied EPSS score all argue against urgent exploitation at scale.

Why not higher?

This is not a server-side pre-auth RCE, not a browser sandbox escape, and not an actively exploited zero-day. The attack assumes a phishing stage and depends on the victim completing the attacker’s story, which sharply reduces reliability and operational scale.

Why not lower?

It still affects a high-trust workflow: sign-in UI on mobile devices. If your executives, sales staff, or field users authenticate to SaaS apps from managed iPhones and Chrome is allowed, spoofed browser UI can materially improve phishing conversion, so this is not pure noise.

05 · Compensating Control

What to do — in priority order.

  1. Enforce app-version compliance — Use MDM/UEM to identify and block or nag-update Chrome for iOS below 149.0.7827.53. For a LOW verdict there is no formal mitigation SLA, but this is still good backlog hygiene and should be folded into the next mobile compliance sweep.
  2. Prefer phishing-resistant authentication — Require passkeys/FIDO2 for high-value apps and admin identities so spoofed sign-in chrome does not automatically translate into reusable credentials. This is the best control because it attacks the real outcome, not the rendering bug.
  3. Restrict unmanaged browser choice on iOS — If your mobile policy allows it, standardize browser use via MDM and reduce Chrome-on-iOS population where business need is weak. Fewer users on the affected app means less reachable population.
  4. Harden mobile web delivery paths — Keep mobile-safe browsing, DNS filtering, SMS/QR link inspection, and mail protection enabled to break the phishing stage before the browser bug matters. This is practical because the exploit still needs a lure URL.
  5. Monitor identity telemetry — Tune IdP alerts for risky sign-ins, MFA anomalies, impossible travel, and first-time device patterns. There is no rich exploit artifact here, so identity logs are where you catch abuse if spoofing succeeds.
What doesn't work
  • A network IDS/WAF will not meaningfully solve this because the vulnerable surface is a client-side mobile browser UI path, not a server endpoint you can shield.
  • Desktop Chrome patching does nothing for this iOS-specific issue; the affected population is in the mobile app inventory.
  • Traditional vuln scanners are largely blind here because there is no externally reachable service banner to fingerprint; you need MDM/UEM app-version data.
06 · Verification

Crowdsourced verification payload.

Run this on an auditor workstation or CI job against an MDM/UEM export CSV, not on the iPhone itself. Invoke it with python3 check_cve_2026_11280.py devices.csv; the CSV must include device_id, platform, app_name, and app_version columns. No admin privileges are required.

noisgate-verify.py
PYTHONREAD-ONLYSAFE
#!/usr/bin/env python3
# check_cve_2026_11280.py
# Determine exposure to CVE-2026-11280 from MDM/UEM inventory.
# Usage: python3 check_cve_2026_11280.py devices.csv
# Exit codes:
#   0 = all checked rows PATCHED
#   1 = one or more rows VULNERABLE
#   2 = usage error / unreadable file / insufficient data

import csv
import re
import sys
from typing import Optional, Tuple

FIXED_VERSION = (149, 0, 7827, 53)
IOS_NAMES = {"google chrome", "chrome", "google chrome: fast & secure"}


def parse_version(v: str) -> Optional[Tuple[int, ...]]:
    if not v:
        return None
    m = re.findall(r"\d+", v)
    if not m:
        return None
    try:
        return tuple(int(x) for x in m[:4])
    except ValueError:
        return None


def cmp_version(a: Tuple[int, ...], b: Tuple[int, ...]) -> int:
    max_len = max(len(a), len(b))
    aa = a + (0,) * (max_len - len(a))
    bb = b + (0,) * (max_len - len(b))
    if aa < bb:
        return -1
    if aa > bb:
        return 1
    return 0


def is_ios(platform: str) -> bool:
    p = (platform or "").strip().lower()
    return p in {"ios", "ipados", "iphone", "ipad", "iphoneos"}


def is_chrome(app_name: str) -> bool:
    return (app_name or "").strip().lower() in IOS_NAMES


def main() -> int:
    if len(sys.argv) != 2:
        print("UNKNOWN - usage: python3 check_cve_2026_11280.py devices.csv")
        return 2

    path = sys.argv[1]
    try:
        with open(path, newline="", encoding="utf-8-sig") as f:
            reader = csv.DictReader(f)
            required = {"device_id", "platform", "app_name", "app_version"}
            if not reader.fieldnames or not required.issubset(set(reader.fieldnames)):
                print("UNKNOWN - CSV must contain: device_id, platform, app_name, app_version")
                return 2

            saw_target = False
            vulnerable = []
            patched = []
            unknown = []

            for row in reader:
                device_id = (row.get("device_id") or "").strip() or "<unknown-device>"
                platform = row.get("platform") or ""
                app_name = row.get("app_name") or ""
                app_version = row.get("app_version") or ""

                if not is_ios(platform) or not is_chrome(app_name):
                    continue

                saw_target = True
                parsed = parse_version(app_version)
                if parsed is None:
                    unknown.append((device_id, app_version))
                    continue

                if cmp_version(parsed, FIXED_VERSION) < 0:
                    vulnerable.append((device_id, app_version))
                else:
                    patched.append((device_id, app_version))

    except FileNotFoundError:
        print(f"UNKNOWN - file not found: {path}")
        return 2
    except Exception as e:
        print(f"UNKNOWN - error reading CSV: {e}")
        return 2

    if not saw_target:
        print("UNKNOWN - no Chrome on iOS rows found in input")
        return 2

    if vulnerable:
        print("VULNERABLE")
        print(f"Affected rows: {len(vulnerable)}")
        for device_id, version in vulnerable[:50]:
            print(f"  {device_id}: Chrome iOS {version} < 149.0.7827.53")
        if unknown:
            print(f"Unknown-version rows: {len(unknown)}")
        return 1

    if patched and not vulnerable:
        print("PATCHED")
        print(f"Patched rows: {len(patched)}")
        if unknown:
            print(f"Unknown-version rows: {len(unknown)}")
            for device_id, version in unknown[:50]:
                print(f"  {device_id}: version parse failed ({version})")
        return 0

    print("UNKNOWN - no decisive rows found")
    return 2


if __name__ == "__main__":
    sys.exit(main())
07 · Bottom Line

If you remember one thing.

TL;DR
Monday morning, pull an MDM/UEM report of Chrome on iOS versions and identify users below 149.0.7827.53, especially execs and mobile-heavy SaaS users. For a LOW noisgate rating there is no mitigation SLA and noisgate remediation SLA treats this as backlog hygiene, so you do not need emergency disruption; fold version enforcement, safer authentication, and browser standardization into your normal mobile patch cycle and clear the vulnerable population in the next routine compliance wave.

Sources

  1. Google Chrome Releases 2026 index
  2. Google Chrome Stable for iOS Update (149.0.7827.45, May 27 2026)
  3. Google Chrome Help: Update Chrome on iPhone and iPad
  4. CISA Known Exploited Vulnerabilities Catalog
  5. FIRST EPSS overview
  6. FIRST EPSS API documentation
  7. CVE record
  8. NVD record
Peer Review

What defenders are saying.

Submit a review attribution: handle + country only
0 flags selected · stored anonymously
Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.