Description
Inappropriate implementation in Custom Tabs in Google Chrome on Android prior to 149.0.7827.53 allowed a local attacker to perform privilege escalation via a crafted XML file. (Chromium security severity: Medium)
Published: 2026-06-04
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability stems from an improper implementation of Custom Tabs in Google Chrome on Android, which enables a local adversary to craft an XML file that triggers privilege escalation. An infected device running a Chrome build older than 149.0.7827.53 could allow an attacker who can place files on the local system to elevate permissions within the browser environment. The flaw has a moderate severity rating and is categorized as CWE‑20, reflecting inadequate input validation.

Affected Systems

Google Chrome for Android versions prior to 149.0.7827.53. Devices running affected Chrome builds are susceptible; the flaw does not affect other products or platforms. The vulnerability requires the victim to have a local attacker able to drop a malicious XML file.

Risk and Exploitability

Because the attack requires local file placement, the exploit scenario is limited to attackers with physical or local access to the device, such as malicious applications or compromised storage. The EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog, indicating no known widespread exploitation. The CVSS rating is moderate; however, the potential for privilege escalation warrants prompt remediation.

Generated by OpenCVE AI on June 5, 2026 at 02:49 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Chrome update (149.0.7827.53 or newer) via the Play Store or OTA.
  • If a Chrome update is not immediately available, disable the Custom Tabs feature through enterprise device management to prevent the exploit path.
  • Restrict local file access permissions on Android devices to limit the ability of applications to place crafted XML files on the system.

Generated by OpenCVE AI on June 5, 2026 at 02:49 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 05 Jun 2026 07:30:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Fri, 05 Jun 2026 03:15:00 +0000

Type Values Removed Values Added
Title Privilege Escalation via Custom Tabs XML on Android

Thu, 04 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Inappropriate implementation in Custom Tabs in Google Chrome on Android prior to 149.0.7827.53 allowed a local attacker to perform privilege escalation via a crafted XML file. (Chromium security severity: Medium)
Weaknesses CWE-20
References

Subscriptions

Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-04T23:04:29.386Z

Reserved: 2026-06-04T17:06:34.417Z

Link: CVE-2026-11035

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-04T23:17:07.633

Modified: 2026-06-04T23:17:07.633

Link: CVE-2026-11035

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T07:15:20Z

Weaknesses