How is CVE-2026-11172 exploited?

Network reachability (required): The attacker must deliver a crafted HTML page to the victim over the network, requiring the target device to be reachable via a browser session. Authentication (not-required): No account or credentials are needed; any unauthenticated remote attacker can serve the malicious page. Victim interaction (required): The victim must visit or be redirected to the attacker-controlled HTML page, making social engineering or malicious ad delivery the primary delivery mechanism. Attack complexity (info): Exploit conditions are straightforward and reliable, with no race conditions or special environmental prerequisites required beyond victim interaction.

What is the impact of CVE-2026-11172?

Attacker spoofs Chrome security UI around the Contact Picker, tricking the victim into believing a legitimate permission dialog is being shown. Victim is manipulated into granting contact access or confirming actions they would otherwise reject, exposing stored contact data. Attacker can modify the perceived state of security indicators, enabling follow-on phishing or credential harvesting within the browser context. The scope of impact covers confidentiality, integrity, and availability of the affected browsing session and exposed contact information.

Back to search

HIGHCVE-2026-11172Published 2026-06-04Modified 2026-06-05CNA Chrome

CVE-2026-11172: Incorrect security UI in Contact Picker in Google Chrome on Android prior to 149

Incorrect security UI in Contact Picker in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)

CVSS v3.1: 8.8
Severity: HIGH
Fixed in: 149.0.7827.53
Affected Products: 1

HarborGuard Analysis

Synopsis

A UI spoofing vulnerability exists in the Contact Picker component of Google Chrome on Android, affecting versions prior to 149.0.7827.53. The flaw is reachable over the network without any authentication, but requires the victim to interact with a crafted HTML page delivered by the attacker. Successful exploitation lets an attacker spoof security UI elements, deceiving the user into granting contact access or taking other actions under false pretenses, with high impact to confidentiality, integrity, and availability. A patched-image rebuild at version 149.0.7827.53 is available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection of CVE-2026-11172 is available across every HarborGuard environment, with the CVE ingested from upstream feeds within minutes of publication and matched against images in customer registries, CI pipelines, and custom-built images. Any image packaging a Chrome for Android build below 149.0.7827.53 is flagged automatically.

Available

Triage

HarborGuard scores this CVE at CVSS 8.8 (HIGH) and weights it against each environment's compliance policy to determine escalation priority. Triage routing is available to direct alerts to the appropriate team inbox within each customer organization based on configured ownership rules.

Available

Patch

A patched-image rebuild at Chrome 149.0.7827.53 becomes available on HarborGuard once the upstream fix is confirmed, ready to replace affected base images. For customers who opt into auto-remediation, HarborGuard triggers a rebuild, runs a regression test suite against the new image, and opens a PR against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The attacker must deliver a crafted HTML page to the victim over the network, requiring the target device to be reachable via a browser session.
AuthenticationNot required
No account or credentials are needed; any unauthenticated remote attacker can serve the malicious page.
Victim interactionRequired
The victim must visit or be redirected to the attacker-controlled HTML page, making social engineering or malicious ad delivery the primary delivery mechanism.
Attack complexityDetail
Exploit conditions are straightforward and reliable, with no race conditions or special environmental prerequisites required beyond victim interaction.

Blast Radius

Attacker spoofs Chrome security UI around the Contact Picker, tricking the victim into believing a legitimate permission dialog is being shown.
Victim is manipulated into granting contact access or confirming actions they would otherwise reject, exposing stored contact data.
Attacker can modify the perceived state of security indicators, enabling follow-on phishing or credential harvesting within the browser context.
The scope of impact covers confidentiality, integrity, and availability of the affected browsing session and exposed contact information.

How HarborGuard Handles This

Available on HarborGuard: images containing Google Chrome on Android below version 149.0.7827.53 are matched against this CVE within minutes of ingest, covering both registry-hosted and custom-built images. Where compliance policy permits, a patched-image rebuild at 149.0.7827.53 is made available immediately; for customers with auto-remediation enabled, HarborGuard performs the rebuild, executes a regression run, and opens a PR against affected workloads, with a median time from CVE publication to merged patch PR of around 90 minutes for high-severity issues in those environments. For environments where auto-remediation is not enabled, the rebuilt image is staged and waiting for manual promotion. In the interim, network-policy controls that restrict Chrome update delivery paths or limit exposure to untrusted web content on managed Android devices serve as a compensating control.

See how HarborGuard automates this

Fix available

149.0.7827.53

Affected packages

Google / Chrome
< 149.0.7827.53 (from 149.0.7827.53)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available