Description
Inappropriate implementation in CustomTabs in Google Chrome on Android prior to 149.0.7827.53 allowed a local attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low)
Published: 2026-06-04
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Chrome on Android implements CustomTabs incorrectly, allowing a local attacker to craft an HTML page that causes Chrome to expose data from a different origin. The flaw is purely informational and does not provide code execution, privilege escalation, or denial of service. It enables a local user who can load a custom tab to read sensitive cross‐origin data that should remain isolated.

Affected Systems

The vulnerability affects Google Chrome on Android versions prior to 149.0.7827.53, specifically the CustomTabs component. Devices running these unpatched builds are exposed; later releases include the fix.

Risk and Exploitability

Chromium labels the issue as low severity and no EPSS data is published, suggesting a small exploitation probability. The flaw is not listed in CISA’s KEV catalog. Exploitation requires local access on a device and the user must trigger a malicious CustomTab. While the risk is limited, it is viable in environments where apps embed CustomTabs to display web content.

Generated by OpenCVE AI on June 5, 2026 at 00:45 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Chrome to 149.0.7827.53 or later, which contains the fix for CustomTabs.
  • If an update is not immediately available, disable or restrict the use of CustomTabs in applications until the update is installed.
  • Ensure any applications that use CustomTabs enforce strict origin validation before loading external content to prevent malicious pages from accessing sensitive data.

Generated by OpenCVE AI on June 5, 2026 at 00:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 05 Jun 2026 02:15:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Fri, 05 Jun 2026 01:15:00 +0000

Type Values Removed Values Added
Title Local Information Disclosure via CustomTabs in Chrome on Android
Weaknesses CWE-200

Thu, 04 Jun 2026 23:45:00 +0000

Type Values Removed Values Added
Description Inappropriate implementation in CustomTabs in Google Chrome on Android prior to 149.0.7827.53 allowed a local attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low)
References

Subscriptions

Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-04T23:06:15.713Z

Reserved: 2026-06-04T17:11:13.367Z

Link: CVE-2026-11278

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-05T00:17:04.993

Modified: 2026-06-05T00:17:04.993

Link: CVE-2026-11278

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T02:00:18Z

Weaknesses