CVE-2026-11297: Insufficient validation of untrusted input in Reader Mode in Google Chrome on Android prior to 149
Insufficient validation of untrusted input in Reader Mode in Google Chrome on Android prior to 149.0.7827.53 allowed a local attacker to bypass navigation restrictions via a malicious file. (Chromium security severity: Low)
Metrics
- CVSS v3.1
- 7.7
- Severity
- HIGH
- Fixed in
- 149.0.7827.53
- Affected Products
- 1
HarborGuard Analysis
Synopsis
Insufficient input validation in the Reader Mode component of Google Chrome for Android allows a local attacker to bypass navigation restrictions via a malicious file. The vulnerability is reachable locally with no authentication or user interaction required, derived from a CVSS:3.1 vector of AV:L/AC:L/PR:N/UI:N. Successful exploitation gives the attacker the ability to tamper with data and disrupt the affected service, without exposing confidential information. A patched-image rebuild at version 149.0.7827.53 is available on HarborGuard for environments running an affected version.
HarborGuard Coverage
Detection of CVE-2026-11297 is available across every HarborGuard environment, with the CVE ingested from upstream feeds within minutes of publication and matched against images in customer registries and CI/CD pipelines. Coverage extends to custom-built Android-based Chrome images alongside official distributions.
AvailableHarborGuard is capable of scoring this CVE at CVSS 7.7 HIGH and weighting it against each environment's compliance policy to determine urgency. Triage routing to the appropriate team inbox within each customer organization is available as part of the standard pipeline.
AvailableA patched-image rebuild at Chrome version 149.0.7827.53 is available on HarborGuard for environments running an affected version. For customers who opt into auto-remediation, HarborGuard can perform the rebuild, run regression tests, and open a PR against affected workloads automatically.
AvailableExploit Conditions
- Network reachabilityNot required
The attacker needs an existing shell or process on the host; no network access to the target is required.
- AuthenticationNot required
No account or credentials are needed; the attacker can proceed without authenticating to the system or application.
- Victim interactionNot required
The exploit does not rely on any action from a user or victim; the attacker can trigger the vulnerability independently.
- Attack complexityDetail
The exploit is reliable and condition-free, requiring no special timing, race conditions, or environmental setup.
Blast Radius
- Attacker modifies application navigation state and persisted data within the Chrome Reader Mode component.
- Attacker crashes or disrupts the Reader Mode service, causing loss of availability for that feature on the affected device.
- No confidential data is exposed; the impact is limited to integrity and availability of the affected component.
How HarborGuard Handles This
Available on HarborGuard: detection and rebuild support for CVE-2026-11297 at the fixed version 149.0.7827.53. For customers who opt into auto-remediation, HarborGuard is capable of rebuilding the affected image at the patched version, running a regression test suite, and opening a pull request against affected workloads. The median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled. Where compliance policy requires manual approval, the rebuilt image and test results are staged and surfaced in the customer dashboard for one-click promotion. Customers not yet on auto-remediation should prioritize upgrading any containerized Android Chrome deployments to 149.0.7827.53 and can use HarborGuard network-policy controls to restrict local file access paths as a compensating control in the interim.
Fix available
- Google / Chrome< 149.0.7827.53 (from 149.0.7827.53)
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H