How is CVE-2026-11167 exploited?

Network reachability (required): The attacker delivers the crafted HTML page over the network, so the affected service must be reachable from an external or remote origin. Authentication (not-required): No account or credential is needed; the attacker can target any user who browses to the malicious page. Victim interaction (required): The victim must visit or be directed to a crafted HTML page, making this a social-engineering or drive-by delivery scenario. Attack complexity (info): The exploit is considered condition-free and reliable once the renderer process has been compromised, with no race conditions or memory-layout dependencies required at this stage.

What is the impact of CVE-2026-11167?

An attacker who triggers the sandbox escape reads data stored outside the WebView sandbox, including credentials, session tokens, and local app storage belonging to the host application. The attacker writes to or modifies files and application state beyond the WebView boundary, enabling persistent tampering with the host Android application. The attacker can crash or disrupt the host process and any services it manages, causing denial of service for the application. Because scope is changed (S:C in the CVSS vector), impact extends beyond the vulnerable component itself to other components sharing the same device context.

Back to search

CRITICALCVE-2026-11167Published 2026-06-04Modified 2026-06-05CNA Chrome

CVE-2026-11167: Inappropriate implementation in WebView in Google Chrome on Android prior to 149

Inappropriate implementation in WebView in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium)

CVSS v3.1: 9.6
Severity: CRITICAL
Fixed in: 149.0.7827.53
Affected Products: 1

HarborGuard Analysis

Synopsis

A sandbox escape vulnerability exists in the WebView component of Google Chrome on Android in versions prior to 149.0.7827.53. The flaw is reachable over the network and requires no authentication, though a victim must interact with a crafted HTML page; exploitation also requires that an attacker has already compromised the renderer process. Successful exploitation gives the attacker full read, write, and availability impact outside the WebView sandbox, effectively escaping the browser's isolation layer. A patched-image rebuild at version 149.0.7827.53 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection for CVE-2026-11167 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built Android or Chrome-embedded images, in both registry scans and CI/CD pipeline checks.

Available

Triage

HarborGuard scores this CVE at CVSS 9.6 (Critical) and weights it against each environment's compliance policy to determine urgency, then routes the finding to the appropriate team inbox within the customer organization.

Available

Patch

A patched-image rebuild pinned to Chrome 149.0.7827.53 becomes available on HarborGuard for any environment where an affected version is detected. For customers with auto-remediation enabled, HarborGuard triggers a rebuild, runs a regression test suite against the new image, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The attacker delivers the crafted HTML page over the network, so the affected service must be reachable from an external or remote origin.
AuthenticationNot required
No account or credential is needed; the attacker can target any user who browses to the malicious page.
Victim interactionRequired
The victim must visit or be directed to a crafted HTML page, making this a social-engineering or drive-by delivery scenario.
Attack complexityDetail
The exploit is considered condition-free and reliable once the renderer process has been compromised, with no race conditions or memory-layout dependencies required at this stage.

Blast Radius

An attacker who triggers the sandbox escape reads data stored outside the WebView sandbox, including credentials, session tokens, and local app storage belonging to the host application.
The attacker writes to or modifies files and application state beyond the WebView boundary, enabling persistent tampering with the host Android application.
The attacker can crash or disrupt the host process and any services it manages, causing denial of service for the application.
Because scope is changed (S:C in the CVSS vector), impact extends beyond the vulnerable component itself to other components sharing the same device context.

How HarborGuard Handles This

Available on HarborGuard: detection for this CVE fires within minutes of publication across all scanned images, including custom Android or Chrome-WebView-embedding images. For environments with auto-remediation enabled, HarborGuard initiates a rebuild at the fixed version (149.0.7827.53), runs regression tests against the rebuilt image, and opens a pull request against affected workloads. The median time from CVE publication to merged patch PR for critical-severity issues is around 90 minutes for environments with auto-remediation enabled. Where compliance policy requires manual approval before merging, the PR and build artifacts are staged and waiting for reviewer action. Customers who have not enabled auto-remediation can use HarborGuard's policy console to identify every image and pipeline stage affected by this CVE and prioritize the upgrade to 149.0.7827.53.

See how HarborGuard automates this

Fix available

149.0.7827.53

Affected packages

Google / Chrome
< 149.0.7827.53 (from 149.0.7827.53)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available