Description
Inappropriate implementation in CustomTabs in Google Chrome on Android prior to 149.0.7827.53 allowed a local attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low)
Published: 2026-06-04
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Chrome on Android implements CustomTabs incorrectly, allowing a local attacker to craft an HTML page that causes Chrome to expose data from a different origin. The flaw is purely informational and does not provide code execution, privilege escalation, or denial of service. It enables a local user who can load a custom tab to read sensitive cross‑origin data that should remain isolated.

Affected Systems

The vulnerability affects Google Chrome on Android versions prior to 149.0.7827.53, specifically the CustomTabs component. Devices running these unpatched builds are exposed; later releases include the fix.

Risk and Exploitability

Chromium labeled the issue as Low severity, but the CVSS score is 6.5, and the EPSS score is <1%, indicating a low likelihood of exploitation. Based on the description, exploitation requires local access on a device and the user must trigger a malicious CustomTab, making the likely attack vector a crafted HTML page opened within CustomTabs. The flaw is not listed in CISA’s KEV catalog. While the risk is limited, it is viable in environments where apps embed CustomTabs to display web content.

Generated by OpenCVE AI on June 7, 2026 at 16:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Chrome to 149.0.7827.53 or later, which contains the fix for CustomTabs.
  • If an update is not immediately available, disable or restrict the use of CustomTabs in applications until the update is installed.
  • Ensure any applications that use CustomTabs enforce strict origin validation before loading external content to prevent malicious pages from accessing sensitive data.

Generated by OpenCVE AI on June 7, 2026 at 16:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6325-1 chromium security update
History

Wed, 10 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Google android
CPEs cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
cpe:2.3:o:google:android:-:*:*:*:*:*:*:*
Vendors & Products Google android

Sun, 07 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Title CustomTabs Cross-Origin Data Leak in Google Chrome on Android chromium-browser: Inappropriate implementation in CustomTabs
Weaknesses CWE-79
References
Metrics threat_severity

None

 threat_severity

Low

Sat, 06 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
Title CustomTabs Cross-Origin Data Leak in Google Chrome on Android

Fri, 05 Jun 2026 22:30:00 +0000

Type Values Removed Values Added
Title Local Information Disclosure via CustomTabs in Chrome on Android
Weaknesses CWE-200

Fri, 05 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-346
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 05 Jun 2026 02:15:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Fri, 05 Jun 2026 01:15:00 +0000

Type Values Removed Values Added
Title Local Information Disclosure via CustomTabs in Chrome on Android
Weaknesses CWE-200

Thu, 04 Jun 2026 23:45:00 +0000

Type Values Removed Values Added
Description Inappropriate implementation in CustomTabs in Google Chrome on Android prior to 149.0.7827.53 allowed a local attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low)
References

Subscriptions

Google Android Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-05T19:26:39.320Z

Reserved: 2026-06-04T17:11:13.367Z

Link: CVE-2026-11278

cve-icon Vulnrichment

Updated: 2026-06-05T19:26:29.451Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-05T00:17:04.993

Modified: 2026-06-10T19:19:45.407

Link: CVE-2026-11278

cve-icon Redhat

Severity : Low

Publid Date: 2026-06-02T00:00:00Z

Links: CVE-2026-11278 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-07T16:30:04Z

Weaknesses
  • CWE-346

    Origin Validation Error

  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')