Description
Insufficient policy enforcement in Chrome for iOS in Google Chrome on iOS prior to 149.0.7827.53 allowed a remote attacker to bypass discretionary access control via a crafted HTML page. (Chromium security severity: Low)
Published: 2026-06-04
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw is an insufficient policy enforcement in Google Chrome for iOS that permits a remote attacker to bypass discretionary access control by loading a specifically crafted HTML page. The vulnerability allows an attacker to access or manipulate resources protected by the browser’s access controls without authorization, potentially exposing sensitive data or enabling further malicious activity. The Chromium severity is classified as Low, indicating the impact is limited but noteworthy for users who may encounter malicious content.

Affected Systems

Google Chrome for iOS versions prior to 149.0.7827.53 are affected. The issue is limited to the iOS platform and does not impact other operating systems or desktop Chrome builds.

Risk and Exploitability

The EPSS score is < 1% and the vulnerability is not listed in the CISA KEV catalog, indicating a low probability of exploitation in the wild. Attackers would need to entice the user to load the malicious HTML via a web page, email, or other content delivery mechanism, making social engineering a likely prerequisite. Because the CVSS score is 4.3 and the vulnerability is device‑specific, the overall risk is considered limited but warrants updating to the patched release.

Generated by OpenCVE AI on June 5, 2026 at 22:09 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Google Chrome for iOS to version 149.0.7827.53 or later to receive the fix for insufficient policy enforcement.
  • If an update cannot be performed immediately, restrict deployment of the affected Chrome version through device management profiles or app store restrictions.
  • Configure enterprise policy to enforce a minimum app version on all devices to prevent installation or execution of older, vulnerable Chrome releases.

Generated by OpenCVE AI on June 5, 2026 at 22:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6325-1 chromium security update
History

Tue, 09 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple iphone Os
CPEs cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:iphone_os:-:*:*:*:*:*:*:*
Vendors & Products Apple
Apple iphone Os

Tue, 09 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
Title chromium-browser: chromium-browser: Insufficient policy enforcement in Chrome for iOS
References
Metrics threat_severity

None

 threat_severity

Low

Fri, 05 Jun 2026 22:30:00 +0000

Type Values Removed Values Added
Title Insufficient Policy Enforcement Allows Discretionary Access Control Bypass in Chrome for iOS

Fri, 05 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 05 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Fri, 05 Jun 2026 01:15:00 +0000

Type Values Removed Values Added
Title Insufficient Policy Enforcement Allows Discretionary Access Control Bypass in Chrome for iOS
Weaknesses CWE-284

Fri, 05 Jun 2026 01:00:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Thu, 04 Jun 2026 23:45:00 +0000

Type Values Removed Values Added
Description Insufficient policy enforcement in Chrome for iOS in Google Chrome on iOS prior to 149.0.7827.53 allowed a remote attacker to bypass discretionary access control via a crafted HTML page. (Chromium security severity: Low)
References

Subscriptions

Apple Iphone Os
Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-05T19:27:34.028Z

Reserved: 2026-06-04T17:11:13.081Z

Link: CVE-2026-11277

cve-icon Vulnrichment

Updated: 2026-06-05T19:27:27.350Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-05T00:17:04.873

Modified: 2026-06-09T18:26:08.167

Link: CVE-2026-11277

cve-icon Redhat

Severity : Low

Publid Date: 2026-06-02T00:00:00Z

Links: CVE-2026-11277 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T22:15:06Z

Weaknesses