How is CVE-2026-11035 exploited?

Network reachability (not-required): The attacker needs an existing shell or process on the host; no network access to the target is required. Authentication (required): Any low-privilege local account on the device is sufficient to attempt this exploit. Victim interaction (required): The victim must interact with a crafted XML file, requiring some degree of social engineering to deliver and trigger. Attack complexity (info): The exploit is reliable and condition-free once the attacker has local access and the victim interaction occurs; no race conditions or special environmental factors are required.

What is the impact of CVE-2026-11035?

A successful attacker gains elevated privileges beyond their original low-privilege account, enabling actions that would otherwise be restricted by Android's permission model. Confidential data stored on the device, including app data and credentials accessible at the escalated privilege level, is exposed to the attacker. The attacker can modify files, settings, or application data that are writable at the escalated privilege level, including persistent storage. The attacker can disrupt or terminate processes and services that are controllable at the escalated privilege level, affecting device stability.

Back to search

HIGHCVE-2026-11035Published 2026-06-04Modified 2026-06-05CNA Chrome

CVE-2026-11035: Inappropriate implementation in Custom Tabs in Google Chrome on Android prior to 149

Inappropriate implementation in Custom Tabs in Google Chrome on Android prior to 149.0.7827.53 allowed a local attacker to perform privilege escalation via a crafted XML file. (Chromium security severity: Medium)

CVSS v3.1: 7.3
Severity: HIGH
Fixed in: 149.0.7827.53
Affected Products: 1

HarborGuard Analysis

Synopsis

A privilege escalation vulnerability exists in the Custom Tabs implementation in Google Chrome on Android prior to version 149.0.7827.53. An attacker with an existing low-privilege account on the device can trigger the flaw locally by convincing a user to interact with a crafted XML file, escalating their privileges on the affected system. Successful exploitation gives the attacker full read, write, and execution capability at an elevated privilege level. A patched-image rebuild at version 149.0.7827.53 is available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection of CVE-2026-11035 is available across every HarborGuard environment, with the CVE matched against customer images, including custom-built Android-based images, within minutes of upstream feed publication. Any image found to include a vulnerable Chrome version below 149.0.7827.53 is flagged immediately during registry scan or CI/CD pipeline check.

Available

Triage

HarborGuard is capable of scoring this finding at CVSS 7.3 (HIGH) and weighting it against each customer environment's compliance policy to determine urgency. Triage routing is available to direct the finding to the appropriate team inbox within each customer org based on policy configuration.

Available

Patch

A patched-image rebuild at Chrome version 149.0.7827.53 becomes available through HarborGuard once the fix version is resolved against affected images. For customers who opt into auto-remediation, HarborGuard can perform the rebuild, run regression tests, and open a PR against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityNot required
The attacker needs an existing shell or process on the host; no network access to the target is required.
AuthenticationRequired
Any low-privilege local account on the device is sufficient to attempt this exploit.
Victim interactionRequired
The victim must interact with a crafted XML file, requiring some degree of social engineering to deliver and trigger.
Attack complexityDetail
The exploit is reliable and condition-free once the attacker has local access and the victim interaction occurs; no race conditions or special environmental factors are required.

Blast Radius

A successful attacker gains elevated privileges beyond their original low-privilege account, enabling actions that would otherwise be restricted by Android's permission model.
Confidential data stored on the device, including app data and credentials accessible at the escalated privilege level, is exposed to the attacker.
The attacker can modify files, settings, or application data that are writable at the escalated privilege level, including persistent storage.
The attacker can disrupt or terminate processes and services that are controllable at the escalated privilege level, affecting device stability.

How HarborGuard Handles This

Available on HarborGuard: scanning capability for this CVE is active against all customer images the moment the advisory is ingested, with no manual configuration needed. Where compliance policy permits, customers with auto-remediation enabled get a rebuilt image at Chrome 149.0.7827.53, a regression-test run, and a PR opened against affected workloads. For HIGH-severity issues, median time from CVE publication to merged patch PR for environments with auto-remediation enabled is around 90 minutes. For customers who have not enabled auto-remediation, HarborGuard surfaces the finding with CVSS scoring and fix-version detail so engineering teams can act immediately. Because the exploit requires local access and victim interaction with a crafted XML file, customers running Android-based container workloads should also consider restricting untrusted file handling paths as a compensating control while rollout of the patched version is in progress.

See how HarborGuard automates this

Fix available

149.0.7827.53

Affected packages

Google / Chrome
< 149.0.7827.53 (from 149.0.7827.53)

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available