HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-11272Published Modified CNA Chrome

CVE-2026-11272: Insufficient validation of untrusted input in Reading List in Google Chrome on iOS prior to 149

Insufficient validation of untrusted input in Reading List in Google Chrome on iOS prior to 149.0.7827.53 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform privilege escalation via a crafted HTML page. (Chromium security severity: Low)

Metrics

CVSS v3.1
8.8
Severity
HIGH
Fixed in
149.0.7827.53
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

Insufficient input validation in the Reading List feature of Google Chrome on iOS (versions prior to 149.0.7827.53) allows a remote attacker to perform privilege escalation. Exploitation requires convincing a user to interact with a crafted HTML page through specific UI gestures, making it a network-reachable, user-assisted attack. Successful exploitation gives the attacker high-level control over confidentiality, integrity, and availability of the affected browser context. A patched-image rebuild at version 149.0.7827.53 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-11272 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream feeds, including custom-built iOS-targeted Chrome images. Any image carrying a Chrome version below 149.0.7827.53 is flagged automatically in both registry scans and CI/CD pipeline checks.

Available
Triage

HarborGuard scores this CVE at CVSS 8.8 HIGH and weights it against each customer environment's configured compliance policy to determine escalation priority. Triage findings are routed to the appropriate team inbox within the customer org based on policy rules, so the right engineers see the alert without manual sorting.

Available
Patch

A patched-image rebuild at Chrome 149.0.7827.53 becomes available in HarborGuard the moment the fix version is confirmed against the upstream advisory. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite, and opens a PR against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker delivers a crafted HTML page over the network, so the targeted Chrome instance must be reachable or the user must browse to an attacker-controlled resource.

  • AuthenticationNot required

    No account or credential is needed; the attacker operates as an anonymous remote party.

  • Victim interactionRequired

    The user must be convinced to perform specific UI gestures on a crafted HTML page, requiring a social-engineering step to trigger the vulnerability.

  • Attack complexityDetail

    Attack complexity is low, meaning the exploit is reliable and requires no special timing, race conditions, or environmental preconditions beyond user interaction.

Blast Radius

  • A successful attacker reads sensitive browser data accessible to the Chrome process, including saved credentials, cookies, and browsing history stored within the Reading List context.
  • The attacker can modify browser state or persisted data, including bookmarks, Reading List entries, and potentially injected script execution within the elevated privilege context.
  • The attacker can crash or destabilize the Chrome browser process on the affected iOS device, disrupting the user's session.
  • Privilege escalation means the attacker gains capabilities beyond the normal renderer sandbox, increasing the reach of any secondary payload delivered through the crafted page.

How HarborGuard Handles This

Available on HarborGuard: this CVE is matched against all customer images immediately upon ingestion, covering both pulled and custom-built images that bundle Chrome for iOS. Where a customer image is found to carry a Chrome version below 149.0.7827.53, a rebuilt image at the fixed version is made available. For customers who opt into auto-remediation, HarborGuard triggers a rebuild, runs regression tests, and opens a PR against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled. Where compliance policy requires manual approval before remediation, the finding is queued in the customer's triage inbox with full CVSS context and a direct link to the upstream Chromium advisory for reviewer sign-off.

See how HarborGuard automates this

Fix available

149.0.7827.53
Affected packages
  • Google / Chrome
    < 149.0.7827.53 (from 149.0.7827.53)
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
References