How is CVE-2026-11108 exploited?

Network reachability (required): The attacker delivers the exploit over the network; the victim's device must be able to reach and load the attacker-controlled HTML page. Authentication (not-required): No account or credentials on the target system are needed; any user browsing to the crafted page is a valid target. Victim interaction (required): The victim must actively visit a crafted HTML page, making this a social-engineering scenario where the attacker must lure the user to a malicious URL. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other environmental preconditions.

What is the impact of CVE-2026-11108?

A successful attacker gains escalated privileges within the Chrome browser process on the victim's Android device. With elevated privileges, the attacker can read sensitive data accessible to the browser, including stored credentials, session tokens, and browsing history. The attacker can modify browser state or data, including saved form data and browser storage. The attacker can crash or destabilize the Chrome process, disrupting the victim's browsing session.

Back to search

HIGHCVE-2026-11108Published 2026-06-04Modified 2026-06-06CNA Chrome

CVE-2026-11108: Inappropriate implementation in NFC in Google Chrome on Android prior to 149

Inappropriate implementation in NFC in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker to perform privilege escalation via a crafted HTML page. (Chromium security severity: Medium)

CVSS v3.1: 8.8
Severity: HIGH
Fixed in: 149.0.7827.53
Affected Products: 1

HarborGuard Analysis

Synopsis

This is a privilege escalation vulnerability caused by an inappropriate NFC implementation in Google Chrome on Android, affecting versions prior to 149.0.7827.53. The flaw is reachable over the network and requires no authentication, but the victim must visit a crafted HTML page for the attack to succeed. Successful exploitation gives the attacker elevated privileges within the browser context, with full impact to confidentiality, integrity, and availability. A patched-image rebuild at version 149.0.7827.53 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-11108 is available across every HarborGuard environment, with the CVE matched against images in customer registries and CI/CD pipelines within minutes of publication. This coverage extends to custom-built images that bundle Chrome on Android, not just official upstream images.

Available

Triage

HarborGuard is capable of scoring this CVE at its CVSS v3.1 rating of 8.8 (HIGH) and weighting it further against each customer organization's own compliance policy. Triage routing to the appropriate team inbox within each customer org is available automatically once the CVE is matched to an affected image.

Available

Patch

A patched-image rebuild pinned to Chrome 149.0.7827.53 is available on HarborGuard for any environment running an affected version. For customers who opt into auto-remediation, HarborGuard can perform the rebuild, run regression tests, and open a pull request against affected workloads without manual intervention.

Available

Exploit Conditions

Network reachabilityRequired
The attacker delivers the exploit over the network; the victim's device must be able to reach and load the attacker-controlled HTML page.
AuthenticationNot required
No account or credentials on the target system are needed; any user browsing to the crafted page is a valid target.
Victim interactionRequired
The victim must actively visit a crafted HTML page, making this a social-engineering scenario where the attacker must lure the user to a malicious URL.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other environmental preconditions.

Blast Radius

A successful attacker gains escalated privileges within the Chrome browser process on the victim's Android device.
With elevated privileges, the attacker can read sensitive data accessible to the browser, including stored credentials, session tokens, and browsing history.
The attacker can modify browser state or data, including saved form data and browser storage.
The attacker can crash or destabilize the Chrome process, disrupting the victim's browsing session.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-11108 is active across all connected registries and pipelines, matching any image that ships a vulnerable Chrome on Android build (versions below 149.0.7827.53). Where a compliance policy permits auto-remediation, HarborGuard will rebuild the affected image at the fixed version (149.0.7827.53), execute a regression test run, and open a pull request against affected workloads. For high-severity issues, the median time from CVE publication to a merged patch PR is around 90 minutes for environments with auto-remediation enabled. For environments where auto-remediation is not enabled, HarborGuard surfaces the finding with its 8.8 CVSS score and routes it to the configured team inbox for manual review and action.

See how HarborGuard automates this

Fix available

149.0.7827.53

Affected packages

Google / Chrome
< 149.0.7827.53 (from 149.0.7827.53)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available