Description
Insufficient policy enforcement in PreviewTab in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker who convinced a user to engage in specific UI gestures to bypass same origin policy via a crafted HTML page. (Chromium security severity: Low)
Published: 2026-06-04
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from insufficient policy enforcement within the PreviewTab component of Google Chrome on Android. A remote attacker can craft a malicious HTML page that, when a user follows specific UI gestures, bypasses the browser’s same origin policy, enabling the attacker to access or manipulate data across origins and potentially compromising confidentiality and integrity. This type of weakness is characterized by improper access control.

Affected Systems

Google Chrome for Android, all versions prior to 149.0.7827.53 are affected.

Risk and Exploitability

The CVSS assessment labels this issue as Low severity, and EPSS data is not available, with the vulnerability not yet listed in CISA KEV. Exploitation requires social engineering to persuade a user to perform particular gestures after visiting a malicious page, so while the attack vector is remote, it depends on user interaction, reducing the likelihood of widespread exploitation under current conditions.

Generated by OpenCVE AI on June 5, 2026 at 03:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Chrome on all Android devices to version 149.0.7827.53 or newer.
  • If the latest version cannot be installed immediately, restrict or disable the PreviewTab feature via enterprise policy to block the affected functionality.
  • Educate users about phishing risks and advise them to avoid performing unexpected gestures after clicking on unfamiliar links.

Generated by OpenCVE AI on June 5, 2026 at 03:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 05 Jun 2026 06:00:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Fri, 05 Jun 2026 03:45:00 +0000

Type Values Removed Values Added
Title Same-Origin Policy Bypass via UI Gesture in Chrome Android
Weaknesses CWE-200
CWE-640

Thu, 04 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Insufficient policy enforcement in PreviewTab in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker who convinced a user to engage in specific UI gestures to bypass same origin policy via a crafted HTML page. (Chromium security severity: Low)
References

Subscriptions

Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-04T23:05:52.096Z

Reserved: 2026-06-04T17:10:55.970Z

Link: CVE-2026-11226

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-04T23:17:30.377

Modified: 2026-06-04T23:17:30.377

Link: CVE-2026-11226

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T05:45:32Z

Weaknesses