Description
Insufficient policy enforcement in Chrome for iOS in Google Chrome on iOS prior to 149.0.7827.53 allowed a remote attacker to bypass discretionary access control via a crafted HTML page. (Chromium security severity: Low)
Published: 2026-06-04
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw is an insufficient policy enforcement in Google Chrome for iOS that permits a remote attacker to bypass discretionary access control by loading a specifically crafted HTML page. The vulnerability allows an attacker to access or manipulate resources protected by the browser’s access controls without authorization, potentially exposing sensitive data or enabling further malicious activity. The Chromium severity is classified as Low, indicating the impact is limited but noteworthy for users who may encounter malicious content.

Affected Systems

Google Chrome for iOS versions prior to 149.0.7827.53 are affected. The issue is limited to the iOS platform and does not impact other operating systems or desktop Chrome builds.

Risk and Exploitability

The EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog, suggesting a moderate or low probability of exploitation in the wild. Attackers would need to entice the user to load the malicious HTML via a web page, email, or other content delivery mechanism, making social engineering a likely prerequisite. Because the CVSS score is low and the vulnerability is device‑specific, the overall risk is considered limited but warrants updating to the patched release.

Generated by OpenCVE AI on June 5, 2026 at 00:45 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Google Chrome for iOS to version 149.0.7827.53 or later to receive the fix for insufficient policy enforcement.
  • If an update cannot be performed immediately, restrict deployment of the affected Chrome version through device management profiles or app store restrictions.
  • Configure enterprise policy to enforce a minimum app version on all devices to prevent installation or execution of older, vulnerable Chrome releases.

Generated by OpenCVE AI on June 5, 2026 at 00:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 05 Jun 2026 01:15:00 +0000

Type Values Removed Values Added
Title Insufficient Policy Enforcement Allows Discretionary Access Control Bypass in Chrome for iOS
Weaknesses CWE-284

Fri, 05 Jun 2026 01:00:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Thu, 04 Jun 2026 23:45:00 +0000

Type Values Removed Values Added
Description Insufficient policy enforcement in Chrome for iOS in Google Chrome on iOS prior to 149.0.7827.53 allowed a remote attacker to bypass discretionary access control via a crafted HTML page. (Chromium security severity: Low)
References

Subscriptions

Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-04T23:06:15.333Z

Reserved: 2026-06-04T17:11:13.081Z

Link: CVE-2026-11277

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-05T00:17:04.873

Modified: 2026-06-05T00:17:04.873

Link: CVE-2026-11277

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T01:00:15Z

Weaknesses