Description
Insufficient policy enforcement in CustomTabs in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low)
Published: 2026-06-04
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An insufficient policy enforcement in the CustomTabs feature of Google Chrome on Android prior to version 149.0.7827.53 allows a remote attacker to craft an HTML page that causes the browser to read cross‑origin data. The attacker can then exfiltrate that information, leading to a confidentiality breach. The issue is categorized as low severity by Chromium.

Affected Systems

Affected systems are devices running Google Chrome for Android before build 149.0.7827.53, including all stable‑channel releases below that version as well as any beta or dev builds that have not yet applied the fix.

Risk and Exploitability

No EPSS score is available and the vulnerability is not in the CISA KEV catalog, suggesting a limited exploitation window. The exploit requires a victim to open a malicious CustomTabs page, implying user interaction. Because it merely leaks data, the risk remains low, but applications that handle sensitive information should be reviewed. The CVSS is not specified, but the low Chromium severity indicates modest impact.

Generated by OpenCVE AI on June 5, 2026 at 00:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Google Chrome to 149.0.7827.53 or later.
  • If you must continue using CustomTabs before the update, configure the CustomTabs intent to restrict cross‑origin access or disable the feature for untrusted content.
  • Review web content loaded via CustomTabs and avoid displaying user‑supplied or untrusted data that could be harvested.

Generated by OpenCVE AI on June 5, 2026 at 00:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 05 Jun 2026 00:45:00 +0000

Type Values Removed Values Added
Title Chrome CustomTabs Android Cross‑Origin Data Leakage Before 149.0.7827.53
First Time appeared Google
Google chrome
Weaknesses CWE-200
Vendors & Products Google
Google chrome

Thu, 04 Jun 2026 23:45:00 +0000

Type Values Removed Values Added
Description Insufficient policy enforcement in CustomTabs in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low)
References

Subscriptions

Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-04T23:06:00.350Z

Reserved: 2026-06-04T17:11:03.303Z

Link: CVE-2026-11247

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-05T00:17:01.130

Modified: 2026-06-05T00:17:01.130

Link: CVE-2026-11247

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T00:30:07Z

Weaknesses