CVE-2026-11295 · Inappropriate implementation in WebView in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker to perform privilege es

01 · The Real Story

This is more like a sticky lock inside a car door than a master key to the building

CVE-2026-11295 is a WebView flaw affecting Google Chrome on Android before 149.0.7827.53, with the Android stable train carrying the corresponding fixes in Chrome for Android 149.0.7827.59. The public description says a remote attacker can trigger privilege escalation with a crafted HTML page, which means the bug is at least content-reachable from web content shown in Chrome or an app embedding Chromium-based WebView.

The severity story is where this falls apart. Your supplied 8.8/HIGH label does not match Chrome's own June 2, 2026 release notes, which classify CVE-2026-11295 as Low; absent bug details, public exploit code, KEV status, or evidence that this is a one-bug remote-to-system chain, the vendor-style CVSS overstates enterprise urgency. For a team managing 10,000 hosts, this is a mobile-client patching item, not a queue-jumping incident.

"Remote and real, but this looks like mobile browser hygiene—not an enterprise patch fire."

02 · The Attack Path

4 steps from start to impact.

STEP 01

Deliver crafted web content

The attacker needs a user to load a malicious page in Chrome on Android or inside an app that embeds the affected WebView engine. The delivery vector is ordinary web content: link, ad, redirect, or content rendered inside a managed or unmanaged mobile app. No public weaponized kit is tied to this CVE yet.

Conditions required:

Target uses Chrome on Android or an affected Chromium-based WebView build
User reaches attacker-controlled HTML content
Device has not yet updated past the fixed build train

Where this breaks in practice:

Requires *user interaction* (UI:R)
Applies to Android/mobile only, not your desktop Chrome estate
Many enterprise mobile fleets already auto-update Chrome/WebView through Play + MDM policy

Detection/coverage: Traditional perimeter scanners will miss this; detection is mostly version inventory via MDM/Play/ADB, plus mobile telemetry if you have it.

STEP 02

Trigger the WebView implementation flaw

Once the page is rendered, specific HTML/JS-driven behavior reaches the vulnerable code path in WebView. The public bug is still restricted, so there is no trustworthy detail showing whether this is a broad, reliable trigger or a narrow corner case. That uncertainty matters because Chromium tagged the issue Low, which usually means strong mitigating factors or limited practical scope.

Conditions required:

The vulnerable code path is reachable in the target app/browser context
The malicious page can reliably exercise the bug on the device/OS combination

Where this breaks in practice:

No public PoC reduces attacker commoditization
No public crash signatures, exploit chain, or reliability notes
Fragmentation across Android versions, app wrappers, and WebView consumers can reduce exploit consistency

Detection/coverage: No broadly available scanner or Nuclei-style check exists; version-based exposure mapping is the realistic control.

STEP 03

Convert bug behavior into privilege gain

The description says 'privilege escalation,' but the public record does not prove a clean jump from untrusted web content to meaningful device- or app-level control in one step. In Chromium's own severity model, true no-precondition privilege escalation would rate much higher; the low vendor classification strongly suggests the effective privilege gain is constrained, brittle, or only useful in combination with other bugs.

Conditions required:

The flaw must provide a usable privilege boundary crossing, not just malformed state or limited abuse
The gained privileges must matter in the target app/device context

Where this breaks in practice:

Chrome's official severity is Low, which is a major downward signal
No evidence of a renderer escape, sandbox escape chain, or OS-level takeover
Enterprise mobile controls can contain blast radius to one user/device/app context

Detection/coverage: Expect little direct exploit detection; post-fact indicators would likely be app instability, anomalous browser behavior, or follow-on abuse visible in mobile EDR if deployed.

STEP 04

Operationalize impact

For this to become a real enterprise event, the attacker still has to convert a single-user mobile browsing event into business impact: session theft, app data exposure, or lateral movement via the user's accounts. That is a long way from the public description. In most real deployments, this is a narrow mobile endpoint issue, not a fleet-wide remote compromise primitive.

Conditions required:

Compromised user/device has access to sensitive enterprise resources
Attacker can capitalize on any gained capability before the app/browser updates

Where this breaks in practice:

Blast radius is typically one device or one user session
No internet-facing server exposure to mass-scan
Managed mobile fleets can revoke access, rotate sessions, and enforce browser compliance

Detection/coverage: Watch MDM compliance drift and conditional-access failures rather than internet exposure scanners.

03 · Intelligence Metadata

The supporting signals.

In-the-wild status	No public exploitation evidence found in the sources reviewed, and it is not KEV-listed.
Proof-of-concept availability	No public PoC located. The referenced Chromium issue is still restricted, which limits attacker commoditization.
EPSS	`0.00077` from the supplied intel block — extremely low predicted near-term exploitation probability.
KEV status	Not listed in CISA KEV as of the disclosure window on 2026-06-05.
Severity conflict	Your supplied baseline is `8.8/HIGH` with `CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H`, but Chrome's own June 2, 2026 release notes mark CVE-2026-11295 as Low.
Affected versions	Google describes affected builds as Chrome on Android prior to `149.0.7827.53`; Chrome for Android `149.0.7827.59` states it carries the same security fixes as the corresponding desktop `149.0.7827.53/54` release.
Fixed versions	Treat Chrome for Android `149.0.7827.59` or later as patched for the Android stable train carrying this fix set; the advisory anchor is desktop `149.0.7827.53/54`.
Exposure model	This is client-side mobile exposure, not an internet-facing service. Shodan/Censys/FOFA-style scanning is largely irrelevant because reachability depends on a user loading malicious content.
Disclosure timeline	Public disclosure: 2026-06-05. Chrome release notes show the bug was reported by Google on 2026-04-14.
Researcher / reporter	Google is the reporter listed in Chrome's release note entry.

04 · The Call

noisgate verdict.

Final Verdict

↓ DOWNGRADED to LOW (3.2/10)

The decisive factor is that Chrome itself classifies this CVE as Low, which is fundamentally inconsistent with the supplied 8.8/HIGH story for a supposed no-auth remote privilege escalation. In real enterprise conditions this is a user-driven, Android-only, client-side issue with no KEV listing, no public PoC, and no evidence that it delivers a reliable one-bug path to meaningful system compromise.

HIGH The supplied `HIGH/8.8` baseline is overstating enterprise urgency

MEDIUM Final LOW bucket assignment despite sparse technical bug details

Why this verdict

Vendor conflict matters: the official Chrome release note for June 2, 2026 labels CVE-2026-11295 as Low, so I am explicitly adjusting down from the supplied 8.8/HIGH baseline.
Requires attacker-to-user content delivery: this is UI:R, which means the attacker needs the victim to render crafted HTML in Chrome/WebView rather than hitting an always-on service.
Android/WebView only shrinks the reachable population: this is not your Windows/macOS/Linux browser fleet, and in many enterprises only a subset of users even sit in scope.
No exploit signal: no KEV entry, no public PoC, and no public campaign reporting means there is no threat-intel amplifier pushing this upward.
Blast radius is narrow: the realistic impact starts at one mobile app/browser context on one device, not broad unauthenticated network compromise.

Why not higher?

If this were a demonstrated remote-to-system privilege escalation with no meaningful preconditions, Chrome would not be rating it Low. The missing pieces are exactly the ones that matter operationally: public exploitability detail, exploitation evidence, and proof that the privilege gain crosses a strong boundary in a reliable way.

Why not lower?

I am not calling it IGNORE because it is still a real security fix in a ubiquitous mobile rendering engine, and the public description does say privilege escalation from crafted web content. Even when the practical exploit story looks weak, remote content-reachable bugs in browsers/WebView deserve eventual patch coverage and version compliance.

05 · Compensating Control

What to do — in priority order.

Enforce auto-update compliance — Use MDM/EMM plus managed Google Play policy to keep Chrome on Android and Android System WebView current. For a LOW noisgate verdict there is no SLA (treat as backlog hygiene), so fold this into your normal mobile compliance cycle rather than emergency change windows.
Inventory lagging Android browsers — Pull package/version inventory for com.android.chrome and com.google.android.webview, then flag devices below the fixed train. Again, LOW means no SLA (treat as backlog hygiene); this is a cleanup task for your next routine mobile patch sweep.
Constrain unmanaged browsing paths — Where policy allows, force enterprise links into the managed browser profile and restrict risky unmanaged apps that embed WebView for sensitive workflows. This reduces exposure while you clean up laggards, but for LOW there is no mitigation SLA beyond ordinary control hygiene.

What doesn't work

A WAF or perimeter IPS will not solve this because the vulnerable component is a client-side Android browser/WebView renderer, not a server endpoint.
Internet exposure scanning is mostly noise here; Shodan-style discovery does not tell you which phones or apps are running the vulnerable WebView build.
Desktop Chrome patching does not close the mobile/WebView population if Android Chrome or Android System WebView remain behind.

06 · Verification

Crowdsourced verification payload.

Run this on an auditor workstation with adb installed, pointed at a USB-connected or enterprise-debuggable Android device. Invoke it as ./check_cve_2026_11295.sh <device-serial> or just ./check_cve_2026_11295.sh for the only attached device; it needs adb shell access but no root.

noisgate-verify.sh

BASHREAD-ONLYSAFE

#!/usr/bin/env bash
# check_cve_2026_11295.sh
# Verify exposure to CVE-2026-11295 on an Android device via adb.
# Outputs exactly one of: VULNERABLE / PATCHED / UNKNOWN
# Exit codes: 0=PATCHED, 1=VULNERABLE, 2=UNKNOWN

set -u

TARGET_FIX="149.0.7827.53"
SERIAL="${1:-}"
ADB=(adb)
if [[ -n "$SERIAL" ]]; then
  ADB+=( -s "$SERIAL" )
fi

have_cmd() {
  command -v "$1" >/dev/null 2>&1
}

if ! have_cmd adb; then
  echo "UNKNOWN"
  exit 2
fi

get_version() {
  local pkg="$1"
  "${ADB[@]}" shell dumpsys package "$pkg" 2>/dev/null | sed -n 's/.*versionName=//p' | head -n1 | tr -d '\r'
}

ver_ge() {
  # returns 0 if $1 >= $2
  [[ "$(printf '%s\n%s\n' "$1" "$2" | sort -V | tail -n1)" == "$1" ]]
}

STATE=$("${ADB[@]}" get-state 2>/dev/null || true)
if [[ "$STATE" != "device" ]]; then
  echo "UNKNOWN"
  exit 2
fi

CHROME_VER=$(get_version com.android.chrome)
WEBVIEW_VER=$(get_version com.google.android.webview)
TRICHROME_VER=$(get_version com.google.android.trichromelibrary)

# Prefer direct app/package evidence. If Chrome or WebView exists and is below the fixed train, mark vulnerable.
if [[ -n "$CHROME_VER" ]]; then
  if ver_ge "$CHROME_VER" "$TARGET_FIX"; then
    CHROME_STATUS="PATCHED"
  else
    CHROME_STATUS="VULNERABLE"
  fi
else
  CHROME_STATUS="UNKNOWN"
fi

if [[ -n "$WEBVIEW_VER" ]]; then
  if ver_ge "$WEBVIEW_VER" "$TARGET_FIX"; then
    WEBVIEW_STATUS="PATCHED"
  else
    WEBVIEW_STATUS="VULNERABLE"
  fi
else
  WEBVIEW_STATUS="UNKNOWN"
fi

# If either installed component is explicitly vulnerable, call it vulnerable.
if [[ "$CHROME_STATUS" == "VULNERABLE" || "$WEBVIEW_STATUS" == "VULNERABLE" ]]; then
  echo "VULNERABLE"
  exit 1
fi

# If at least one relevant component is present and patched, call it patched.
if [[ "$CHROME_STATUS" == "PATCHED" || "$WEBVIEW_STATUS" == "PATCHED" ]]; then
  echo "PATCHED"
  exit 0
fi

# Fallback hint: trichrome library may exist on some builds, but alone is not enough for a definitive call.
if [[ -n "$TRICHROME_VER" ]]; then
  if ver_ge "$TRICHROME_VER" "$TARGET_FIX"; then
    echo "UNKNOWN"
    exit 2
  fi
fi

echo "UNKNOWN"
exit 2

07 · Bottom Line

If you remember one thing.

TL;DR

Monday morning: do not let this displace server-side RCEs, auth bypasses, or anything KEV-backed. For a LOW verdict there is no noisgate mitigation SLA and no SLA (treat as backlog hygiene), so go straight to standard mobile patch hygiene: verify managed Google Play/MDM are moving Android Chrome and WebView to the fixed train, identify laggards, and close them in your normal patch cycle; the noisgate remediation SLA for LOW is also no SLA (treat as backlog hygiene), so document the downgrade rationale and clean it up without emergency scheduling.

Sources

Peer Review

What defenders are saying.

Submit a review attribution: handle + country only

0 flags selected · stored anonymously

Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.