Description
Insufficient policy enforcement in CustomTabs in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low)
Published: 2026-06-04
Score: 3.1 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An insufficient policy enforcement in the CustomTabs feature of Google Chrome for Android permits a remote attacker to craft an HTML page that forces the browser to read cross‑origin data, which the attacker can then exfiltrate, leading to a confidentiality breach. The vulnerability is given a low severity rating by Chromium.

Affected Systems

Devices running Google Chrome on Android before build 149.0.7827.53 are affected. This includes all stable‑channel releases and any beta or development builds without the patch.

Risk and Exploitability

The EPSS score is <1% and the issue is not listed in the CISA KEV catalog, indicating a low probability of exploitation. Based on the description, it is inferred that the attack vector requires the victim to open a malicious CustomTabs page, implying user interaction. The CVSS score of 3.1 reflects the limited impact of the leak, and the overall risk remains low, though applications that handle sensitive data should review CustomTabs usage.

Generated by OpenCVE AI on June 7, 2026 at 16:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Google Chrome on Android to version 149.0.7827.53 or later.
  • If upgrading cannot be performed immediately, limit the use of Chrome CustomTabs to trusted internal applications and avoid loading untrusted content.
  • Implement monitoring for CustomTabs activity and cross‑origin request handling to detect anomalous data leakage.

Generated by OpenCVE AI on June 7, 2026 at 16:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6325-1 chromium security update
History

Sun, 07 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Title Insufficient Policy Enforcement in Chrome CustomTabs Leading to Cross-Origin Data Leakage chromium-browser: Insufficient policy enforcement in CustomTabs
Weaknesses CWE-346
References
Metrics threat_severity

None

 threat_severity

Low

Fri, 05 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Google android
CPEs cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
cpe:2.3:o:google:android:-:*:*:*:*:*:*:*
Vendors & Products Google android

Fri, 05 Jun 2026 18:00:00 +0000

Type Values Removed Values Added
Title Insufficient Policy Enforcement in Chrome CustomTabs Leading to Cross-Origin Data Leakage

Fri, 05 Jun 2026 16:15:00 +0000

Type Values Removed Values Added
Title Chrome CustomTabs Android Cross‑Origin Data Leakage Before 149.0.7827.53
Weaknesses CWE-200

Fri, 05 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-693
Metrics cvssV3_1

{'score': 3.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 05 Jun 2026 00:45:00 +0000

Type Values Removed Values Added
Title Chrome CustomTabs Android Cross‑Origin Data Leakage Before 149.0.7827.53
First Time appeared Google
Google chrome
Weaknesses CWE-200
Vendors & Products Google
Google chrome

Thu, 04 Jun 2026 23:45:00 +0000

Type Values Removed Values Added
Description Insufficient policy enforcement in CustomTabs in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low)
References

Subscriptions

Google Android Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-05T12:40:47.417Z

Reserved: 2026-06-04T17:11:03.303Z

Link: CVE-2026-11247

cve-icon Vulnrichment

Updated: 2026-06-05T12:40:34.671Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-05T00:17:01.130

Modified: 2026-06-05T20:40:23.357

Link: CVE-2026-11247

cve-icon Redhat

Severity : Low

Publid Date: 2026-06-02T00:00:00Z

Links: CVE-2026-11247 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-07T17:00:05Z

Weaknesses
  • CWE-346

    Origin Validation Error

  • CWE-693

    Protection Mechanism Failure