How is CVE-2026-11175 exploited?

Network reachability (required): The attacker must deliver the crafted HTML page to the victim over the network, so the vulnerable Chrome instance must be reachable or browsing to an attacker-controlled origin. Authentication (not-required): No account or credential is needed; the attacker requires no prior authentication to the target. Victim interaction (required): The victim must visit or otherwise interact with a crafted HTML page, making social engineering a prerequisite for exploitation. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other unpredictable environmental factors.

What is the impact of CVE-2026-11175?

A successful attacker reads sensitive data accessible within the Chrome Messages context, such as stored messages or session tokens. The attacker can modify or inject data within the spoofed UI, causing the victim to submit credentials or approve actions under a forged interface. The attack can disrupt availability of the Chrome Messages component, degrading or crashing the affected service on the victim device. All three impact dimensions (confidentiality, integrity, availability) are rated high, so the attacker gains broad control over the data and function exposed through the vulnerable component.

Back to search

HIGHCVE-2026-11175Published 2026-06-04Modified 2026-06-05CNA Chrome

CVE-2026-11175: Incorrect security UI in Messages in Google Chrome on Android prior to 149

Incorrect security UI in Messages in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)

CVSS v3.1: 8.8
Severity: HIGH
Fixed in: 149.0.7827.53
Affected Products: 1

HarborGuard Analysis

Synopsis

UI spoofing vulnerability in Google Chrome for Android (Messages component) allows a remote attacker to present a forged security interface to victims via a crafted HTML page. Exploitation requires no authentication but does require the victim to visit or interact with a malicious page; the attack is reachable over the network. Successful exploitation gives the attacker high confidentiality, integrity, and availability impact, enabling credential theft, data tampering, or service disruption through the spoofed interface. A patched-image rebuild at version 149.0.7827.53 is available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection for CVE-2026-11175 is available across every HarborGuard environment; the CVE is ingested from upstream feeds within minutes of publication and matched against customer images in registries and CI/CD pipelines, including custom-built Android-based container images that bundle Chrome.

Available

Triage

HarborGuard scores this CVE at CVSS 8.8 (HIGH) and is capable of applying per-environment compliance policy weighting to determine urgency, then routing alerts to the appropriate team inbox within each customer organization.

Available

Patch

A patched-image rebuild targeting Chrome 149.0.7827.53 becomes available on HarborGuard once the fix version is confirmed in the upstream advisory. For customers who opt into auto-remediation, HarborGuard can perform the rebuild, run a regression test suite, and open a PR against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The attacker must deliver the crafted HTML page to the victim over the network, so the vulnerable Chrome instance must be reachable or browsing to an attacker-controlled origin.
AuthenticationNot required
No account or credential is needed; the attacker requires no prior authentication to the target.
Victim interactionRequired
The victim must visit or otherwise interact with a crafted HTML page, making social engineering a prerequisite for exploitation.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other unpredictable environmental factors.

Blast Radius

A successful attacker reads sensitive data accessible within the Chrome Messages context, such as stored messages or session tokens.
The attacker can modify or inject data within the spoofed UI, causing the victim to submit credentials or approve actions under a forged interface.
The attack can disrupt availability of the Chrome Messages component, degrading or crashing the affected service on the victim device.
All three impact dimensions (confidentiality, integrity, availability) are rated high, so the attacker gains broad control over the data and function exposed through the vulnerable component.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-11175 is matched against customer images within minutes of publication, covering both upstream Chrome base images and any custom images that bundle an affected Chrome for Android version. Where compliance policy permits, auto-remediation can trigger a rebuild at 149.0.7827.53, run regression tests, and open a PR against affected workloads; for high-severity issues, the median time from CVE publication to merged patch PR in environments with auto-remediation enabled is around 90 minutes. Customers who have not enabled auto-remediation receive a prioritized alert routed to the appropriate team inbox, with the patched rebuild standing by for manual promotion. If a temporary workaround is needed before patching, network policy controls can be used to restrict outbound browsing paths or flag untrusted HTML origins at the ingress layer until the patched image is deployed.

See how HarborGuard automates this

Fix available

149.0.7827.53

Affected packages

Google / Chrome
< 149.0.7827.53 (from 149.0.7827.53)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available