How is CVE-2026-11295 exploited?

Network reachability (required): The attacker delivers the exploit over the network by luring the victim to a remotely hosted crafted HTML page, so the vulnerable service must be reachable from the internet or an accessible network. Authentication (not-required): No account credentials or prior authentication are needed; any anonymous remote attacker can attempt the exploit. Victim interaction (required): The victim must visit a crafted HTML page, meaning the attacker depends on a social-engineering step such as a phishing link or malicious redirect. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other hard-to-control environmental factors.

What is the impact of CVE-2026-11295?

A successful attacker reads sensitive data stored or accessible through the WebView context, including cookies, session tokens, and local application data. The attacker writes or modifies application data and on-device storage accessible to the Chrome or WebView process. The attacker can crash or destabilize the affected Chrome or WebView process, disrupting the application relying on it. Because this is a privilege escalation, the attacker may gain capabilities beyond the normal WebView sandbox, potentially affecting other resources on the Android device.

Back to search

HIGHCVE-2026-11295Published 2026-06-04Modified 2026-06-05CNA Chrome

CVE-2026-11295: Inappropriate implementation in WebView in Google Chrome on Android prior to 149

Inappropriate implementation in WebView in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker to perform privilege escalation via a crafted HTML page. (Chromium security severity: Low)

CVSS v3.1: 8.8
Severity: HIGH
Fixed in: 149.0.7827.53
Affected Products: 1

HarborGuard Analysis

Synopsis

This is a privilege escalation vulnerability in the WebView component of Google Chrome on Android, affecting all versions prior to 149.0.7827.53. The flaw is reachable over the network and requires no authentication, but does require the victim to visit a crafted HTML page. Successful exploitation gives the attacker high-impact access to confidentiality, integrity, and availability on the affected device. A patched-image rebuild at version 149.0.7827.53 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection capability is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images in registries and CI/CD pipelines, including custom-built Android application images that bundle a vulnerable Chrome or WebView version.

Available

Triage

HarborGuard scores this CVE at CVSS 8.8 (HIGH) and weights it against each environment's compliance policy to determine urgency, then routes findings to the appropriate team inbox within the customer org.

Available

Patch

A patched-image rebuild at Chrome 149.0.7827.53 becomes available on HarborGuard for any environment where an affected image is detected. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite, and opens a pull request against affected workloads.

Available

Exploit Conditions

Network reachabilityRequired
The attacker delivers the exploit over the network by luring the victim to a remotely hosted crafted HTML page, so the vulnerable service must be reachable from the internet or an accessible network.
AuthenticationNot required
No account credentials or prior authentication are needed; any anonymous remote attacker can attempt the exploit.
Victim interactionRequired
The victim must visit a crafted HTML page, meaning the attacker depends on a social-engineering step such as a phishing link or malicious redirect.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other hard-to-control environmental factors.

Blast Radius

A successful attacker reads sensitive data stored or accessible through the WebView context, including cookies, session tokens, and local application data.
The attacker writes or modifies application data and on-device storage accessible to the Chrome or WebView process.
The attacker can crash or destabilize the affected Chrome or WebView process, disrupting the application relying on it.
Because this is a privilege escalation, the attacker may gain capabilities beyond the normal WebView sandbox, potentially affecting other resources on the Android device.

How HarborGuard Handles This

Available on HarborGuard: detection for this CVE is active across all connected registries and pipelines, matching any image that bundles a Chrome or WebView build older than 149.0.7827.53. For customers who opt into auto-remediation, HarborGuard rebuilds the affected image at the patched version, runs regression tests, and opens a pull request against affected workloads; for HIGH-severity issues the median time from CVE publication to merged patch PR in auto-remediation environments is around 90 minutes. Where compliance policy requires manual approval, the triage finding and recommended fix version are surfaced in the HarborGuard dashboard immediately upon detection, with CVSS weighting applied to prioritize this issue appropriately within each environment.

See how HarborGuard automates this

Fix available

149.0.7827.53

Affected packages

Google / Chrome
< 149.0.7827.53 (from 149.0.7827.53)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available