Description
Incorrect security UI in Contact Picker in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)
Published: 2026-06-04
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Chrome’s Contact Picker UI can be rendered incorrectly, allowing a remote attacker to display a spoofed interface when a user visits a crafted web page. This flaw is classified as medium severity, indicating that the attacker can impersonate the legitimate permission prompt but cannot bypass other browser security controls. The primary effect is that users may be misled into granting contact access to unwanted sites.

Affected Systems

The vulnerability affects Google Chrome on Android versions earlier than 149.0.7827.53. Devices running any older builds are susceptible; the June 2026 security update addresses the UI rendering issue.

Risk and Exploitability

Exploitation requires the victim to open a crafted HTML page in Chrome, making it a social‑engineering attack. The CVSS score of 8.8 categorizes this as a high severity vulnerability. The CVE does not provide evidence of publicly available exploits, and the vulnerability is not listed in CISA’s KEV catalog. The EPSS score is below 1%, indicating a very low probability of exploitation. The attacker controls what the spoofed UI displays, which could deceive users into submitting contact information, but no automatic elevation of privileges is possible.

Generated by OpenCVE AI on June 7, 2026 at 15:59 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Google Chrome to version 149.0.7827.53 or later
  • Disable or limit contact picker prompts in the browser settings until the update is applied
  • Educate users to verify the authenticity of contact permission requests and avoid granting access to unfamiliar sites

Generated by OpenCVE AI on June 7, 2026 at 15:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6325-1 chromium security update
History

Mon, 08 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
First Time appeared Google android
CPEs cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
cpe:2.3:o:google:android:-:*:*:*:*:*:*:*
Vendors & Products Google android

Sun, 07 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Title UI Spoofing via Incorrect Contact Picker Rendering in Google Chrome for Android chromium-browser: Incorrect security UI in Contact Picker
Weaknesses CWE-79
References
Metrics threat_severity

None

 threat_severity

Moderate

Fri, 05 Jun 2026 21:00:00 +0000

Type Values Removed Values Added
Title UI Spoofing via Incorrect Contact Picker Rendering in Google Chrome for Android

Fri, 05 Jun 2026 19:15:00 +0000

Type Values Removed Values Added
Title Chrome Contact Picker UI Spoofing Vulnerability on Android
Weaknesses CWE-106
CWE-200

Fri, 05 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-451
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 05 Jun 2026 06:00:00 +0000

Type Values Removed Values Added
Title Chrome Contact Picker UI Spoofing Vulnerability on Android
Weaknesses CWE-106
CWE-200

Fri, 05 Jun 2026 05:15:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Thu, 04 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Incorrect security UI in Contact Picker in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)
References

Subscriptions

Google Android Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-05T17:09:10.502Z

Reserved: 2026-06-04T17:10:37.363Z

Link: CVE-2026-11172

cve-icon Vulnrichment

Updated: 2026-06-05T17:08:51.669Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-04T23:17:23.990

Modified: 2026-06-08T14:21:40.090

Link: CVE-2026-11172

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-02T00:00:00Z

Links: CVE-2026-11172 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-07T16:00:04Z

Weaknesses
  • CWE-451

    User Interface (UI) Misrepresentation of Critical Information

  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')