CVE-2026-11297 · Insufficient validation of untrusted input in Reader Mode in Google Chrome on Android prior to 149.0.7827.53 allowed a local attacker to byp

01 · The Real Story

This is a bent key for one apartment door, not a master key for the whole building

CVE-2026-11297 is an improper input validation bug in Reader Mode in Google Chrome on Android. Affected versions are Chrome on Android before 149.0.7827.53; Google’s June 2, 2026 Chrome 149 stable release notes list this issue as Low severity, and the CVE description says exploitation requires a local attacker and a malicious file to bypass Reader Mode navigation restrictions.

The published 7.7/HIGH CVSS from CISA-ADP overstates real enterprise risk. In practice this is a local, post-initial-access, single-device issue with no evidence of internet-scale exposure, no KEV listing, near-zero EPSS, and impact that appears limited to a browser policy/navigation boundary rather than remote code execution or cross-device compromise.

"This is a post-compromise Android browser edge case, not a fleet-wide emergency."

02 · The Attack Path

4 steps from start to impact.

STEP 01

Get code or file placement on the Android device

The attacker first needs a foothold on the handset or a way to place a crafted local file where Chrome can access it. In real terms, that usually means a malicious app, prior compromise, physical access, or an already-compromised work profile. The weaponized tool here is the malicious local file referenced in the CVE, typically staged by an app or userland process.

Conditions required:

Attacker has local execution, app-level access, or physical access on the Android device
Chrome on Android is installed and below 149.0.7827.53
Attacker can place or trigger opening of a crafted file

Where this breaks in practice:

This is AV:L: no remote internet path
Android app sandboxing and enterprise app controls reduce arbitrary file staging
Many enterprise mobile fleets do not permit untrusted sideloading or unmanaged local file workflows

Detection/coverage: Network scanners will miss this entirely. MDM/UEM inventory can identify Chrome version drift; mobile EDR may catch the precursor app or suspicious file delivery, but signature coverage for this specific CVE is likely weak.

STEP 02

Reach the Reader Mode parsing path

The planted file must be opened in a path that exercises Chrome’s Reader Mode handling. A likely mechanism is an Android Intent or local open action that causes Chrome to render or distill the content under Reader Mode constraints. The weaponized tool here is the Android intent/open-with flow into Chrome.

Conditions required:

Reader Mode code path is reachable from the attacker-controlled file
Chrome accepts the file/open action without additional guardrails
No enterprise policy blocks local content opening in Chrome

Where this breaks in practice:

Reader Mode is a niche path compared with normal web navigation
Userland workflows vary by OEM, Android version, and managed profile settings
Some deployments may never hit this code path during routine enterprise use

Detection/coverage: Detection is mostly indirect: app-open telemetry, intent-launch logs in EDR/UEM, and user reports of odd browser behavior. Traditional vuln scanning has essentially no coverage here.

STEP 03

Exploit the navigation restriction bypass

Once inside the vulnerable Reader Mode path, insufficient validation lets the malicious input bypass intended navigation restrictions. The most plausible enterprise-relevant outcomes are browser state manipulation, policy boundary bypass inside that rendering context, or browser instability on that device. The weaponized component is the Reader Mode input validation flaw itself.

Conditions required:

Crafted input successfully reaches the vulnerable validation logic
Target device is still on a vulnerable Chrome build
Exploit chain does not require additional undisclosed mitigations to fail

Where this breaks in practice:

The described impact is not remote code execution
Blast radius is limited to the affected app/session on one device
No public evidence currently shows reliable weaponization at scale

Detection/coverage: At best, crash telemetry, anomalous browser events, or mobile EDR behavior analytics may show symptoms. There is unlikely to be dependable CVE-specific network or IDS detection.

STEP 04

Real-world impact stays contained to the handset

Even if exploitation works, the attacker is still operating from a local foothold against a single Android endpoint. That makes this a post-compromise amplifier, not an initial-access vulnerability. The weaponized outcome is a local browser policy/navigation bypass with limited fleet blast radius.

Conditions required:

Enterprise data is actually reachable through the affected Chrome session
Device is enrolled in workflows where Chrome access matters to business operations
Other mobile controls do not already limit attacker actions

Where this breaks in practice:

Single-user, single-device scope
Modern mobile management, work profiles, conditional access, and app controls often constrain follow-on value
No direct path to broad enterprise compromise is evidenced by the advisory

Detection/coverage: Containment and visibility come from UEM, mobile threat defense, and account-level telemetry rather than vulnerability scanners.

03 · Intelligence Metadata

The supporting signals.

In-the-wild status	No public evidence of active exploitation found in the sources reviewed; not KEV-listed as of the CISA catalog checked.
Proof-of-concept availability	No public PoC or Metasploit module surfaced in primary-source review. Chromium issue 502502017 exists, but details are restricted.
EPSS	0.00007 (~0.007%), effectively floor-level exploit likelihood for the next 30 days.
KEV status	No. No KEV entry/date found in the CISA KEV catalog.
CVSS vector reality check	`CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H` yields 7.7/HIGH, but the decisive term is AV:L. That means this is already on-device, which sharply narrows exposed population.
Vendor severity mismatch	Google’s Chrome 149 stable release notes label CVE-2026-11297 as Low, while NVD shows a CISA-ADP 7.7/HIGH score. For patch prioritization, the vendor characterization matches operational reality better.
Affected versions	Google Chrome on Android prior to 149.0.7827.53.
Fixed version	Upgrade Chrome on Android to 149.0.7827.53 or later. Android Chrome releases generally track corresponding desktop security fixes unless otherwise noted in Chrome release notes.
Exposure / scanning reality	This is not meaningfully internet-scannable. Shodan/Censys-style exposure data is not useful because the vulnerable surface is a local Android client path, not a remotely exposed service.
Disclosure and reporter	Publicly disclosed 2026-06-05 (NVD received 2026-06-04). Chrome release notes say it was reported by Google on 2026-04-14.

04 · The Call

noisgate verdict.

Final Verdict

↓ DOWNGRADED to LOW (3.3/10)

The single biggest downward pressure is attacker position: this requires local access on an Android device, which means the attacker is already past your primary perimeter and device controls. That collapses the exposed population from 'every Chrome install' to 'already-compromised or locally accessible phones using a niche Reader Mode file path.'

HIGH Local attacker requirement materially limits exposure

MEDIUM Impact is meaningfully lower than 7.7/HIGH in enterprise deployments

MEDIUM Exploit path specifics are partially obscured by restricted Chromium bug details

Why this verdict

Local-only prerequisite: AV:L means the attacker needs on-device presence, physical access, or an already-malicious app. That is post-initial-access, and each prerequisite compounds downward pressure on severity.
Niche reachable population: the vulnerable path is Reader Mode with a malicious file, not mainstream remote web content at internet scale. Only a subset of Android Chrome users will ever exercise this path in ways an attacker can control.
Weak threat intel: no KEV listing, no active exploitation evidence, and an EPSS of 0.00007 all argue against emergency treatment.
Limited blast radius: even successful exploitation appears confined to one Android device and one browser context; there is no evidence of tenant-wide, domain-wide, or server-side compromise.
Vendor reality check: Google itself tagged the issue Low in Chrome 149 release notes, which better reflects field conditions than the abstract CISA-ADP CVSS baseline.

Why not higher?

This is not unauthenticated remote code execution, not a wormable service bug, and not an externally reachable enterprise server flaw. The attacker must already be on the device or able to stage a malicious local file, which is exactly the kind of prerequisite that should crush priority for fleet patching.

Why not lower?

It still crosses a security boundary inside Chrome and is fixed in a stable release, so it is not noise. If you run managed Android fleets, kiosks, or shared frontline devices where Chrome is a business-critical access path, there is still value in rolling the update during normal hygiene.

05 · Compensating Control

What to do — in priority order.

Block unmanaged app installs — Use MDM/UEM policy to prevent sideloading and restrict unknown app sources, because the most realistic precursor is a malicious local app staging the crafted file. For a LOW verdict there is no mitigation SLA (treat as backlog hygiene), so apply this through normal mobile hardening cadence.
Restrict Chrome version drift — Enforce minimum Chrome versions on managed Android devices and flag anything below 149.0.7827.53. For a LOW verdict there is no remediation SLA (treat as backlog hygiene), so handle this in your next standard mobile app update cycle.
Constrain local file handling — Where business permits, limit unmanaged file shares, personal storage, and open-with flows into Chrome from untrusted apps or profiles. This reduces the chance that a crafted local file reaches the vulnerable Reader Mode path, and it can be rolled out during normal policy maintenance for this LOW issue.
Use work profile separation — Keep enterprise accounts and data inside managed work profiles so a compromised personal-side app has less leverage over enterprise Chrome usage. This is a durable compensating control and fits normal backlog-hygiene timing for a LOW finding.

What doesn't work

A WAF does not help; the path is local Android file handling in a client app, not inbound web traffic to a server.
Perimeter NGFW tuning does not help much; there is no exposed network service to shield.
Relying on password resets or MFA does not address the browser-side navigation restriction bypass itself.

06 · Verification

Crowdsourced verification payload.

Run this on an auditor workstation or admin laptop with Android Platform Tools (adb) installed and a USB- or network-connected managed Android device. Invoke it as ./check_cve_2026_11297.sh com.android.chrome; it needs ADB access to the target device, but not root.

noisgate-verify.sh

BASHREAD-ONLYSAFE

#!/usr/bin/env bash
# check_cve_2026_11297.sh
# Determine whether Google Chrome on Android is vulnerable to CVE-2026-11297.
# Usage: ./check_cve_2026_11297.sh [package_name]
# Example: ./check_cve_2026_11297.sh com.android.chrome
# Exit codes:
#   0 = PATCHED
#   1 = VULNERABLE
#   2 = UNKNOWN / error

set -u

PKG="${1:-com.android.chrome}"
FIXED="149.0.7827.53"

if ! command -v adb >/dev/null 2>&1; then
  echo "UNKNOWN: adb not found in PATH"
  exit 2
fi

if ! adb get-state >/dev/null 2>&1; then
  echo "UNKNOWN: no ADB device available"
  exit 2
fi

VERSION_LINE=$(adb shell dumpsys package "$PKG" 2>/dev/null | tr -d '\r' | grep -m1 'versionName=')
if [ -z "$VERSION_LINE" ]; then
  echo "UNKNOWN: package '$PKG' not found or versionName unavailable"
  exit 2
fi

INSTALLED="${VERSION_LINE#*=}"
INSTALLED="${INSTALLED%% *}"

# Compare dotted versions using sort -V.
LOWEST=$(printf '%s\n%s\n' "$INSTALLED" "$FIXED" | sort -V | head -n1)

if [ "$INSTALLED" = "$FIXED" ]; then
  echo "PATCHED: $PKG version $INSTALLED meets fixed version $FIXED"
  exit 0
fi

if [ "$LOWEST" = "$INSTALLED" ]; then
  echo "VULNERABLE: $PKG version $INSTALLED is older than fixed version $FIXED"
  exit 1
else
  echo "PATCHED: $PKG version $INSTALLED is newer than fixed version $FIXED"
  exit 0
fi

07 · Bottom Line

If you remember one thing.

TL;DR

Monday morning: do not burn emergency cycles on this one. Treat CVE-2026-11297 as mobile backlog hygiene: use UEM/MDM to identify managed Android devices running Chrome below 149.0.7827.53, fold those devices into your normal Chrome-for-Android update wave, and document the rationale that this is a local, post-compromise bug with no KEV or active exploitation evidence. For a LOW verdict, there is no noisgate mitigation SLA and no noisgate remediation SLA beyond routine backlog hygiene, so handle it in your next scheduled mobile app maintenance cycle rather than as an out-of-band incident.

Sources

Peer Review

What defenders are saying.

Submit a review attribution: handle + country only

0 flags selected · stored anonymously

Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.