Description
Insufficient validation of untrusted input in Reading List in Google Chrome on iOS prior to 149.0.7827.53 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform privilege escalation via a crafted HTML page. (Chromium security severity: Low)
Published: 2026-06-04
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability originates from insufficient validation of untrusted input within the Reading List feature of Google Chrome on iOS. An attacker can craft a malicious HTML page that, when a user performs specific UI gestures, bypasses protection mechanisms and gains the ability to elevate privileges on the device. This flaw is classified as a CWE-20 input validation weakness, allowing attackers to exploit the application’s failure to properly sanitize user input.

Affected Systems

Google Chrome users on iOS devices running any Chrome version prior to 149.0.7827.53 are susceptible. The issue specifically targets the Reading List functionality available in the Chrome browser and affects all deployments of Chrome on iOS before the indicated patch version.

Risk and Exploitability

The exploit requires convincing a user to interact with a crafted web page; thus, it is a user-dependent attack vector. No public exploit or zero‑day package is known, and the CVE is not listed in CISA’s KEV catalog, implying a limited, low–severity footprint at this time. However, because the flaw can result in privilege escalation, organizations that rely on Chrome for critical browsing should treat this as a potential risk, particularly in environments where untrusted web content is frequently accessed.

Generated by OpenCVE AI on June 5, 2026 at 00:47 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Chrome on all iOS devices to version 149.0.7827.53 or newer to receive the input validation fix.
  • If an immediate update is not possible, disable or restrict access to the Reading List feature for untrusted content until the patch is applied.
  • Continuously monitor user interactions and web traffic for attempts to trigger the Reading List UI gesture, and block suspicious HTML content as a temporary protective measure.

Generated by OpenCVE AI on June 5, 2026 at 00:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 05 Jun 2026 01:15:00 +0000

Type Values Removed Values Added
Title Privilege Escalation via Insufficient Input Validation in Chrome iOS Reading List

Fri, 05 Jun 2026 01:00:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Thu, 04 Jun 2026 23:45:00 +0000

Type Values Removed Values Added
Description Insufficient validation of untrusted input in Reading List in Google Chrome on iOS prior to 149.0.7827.53 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform privilege escalation via a crafted HTML page. (Chromium security severity: Low)
Weaknesses CWE-20
References

Subscriptions

Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-04T23:06:13.048Z

Reserved: 2026-06-04T17:11:11.381Z

Link: CVE-2026-11272

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-05T00:17:04.260

Modified: 2026-06-05T00:17:04.260

Link: CVE-2026-11272

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T01:00:15Z

Weaknesses