Description
Insufficient policy enforcement in Navigation in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to bypass navigation restrictions via a crafted HTML page. (Chromium security severity: Low)
Published: 2026-06-04
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An insufficient enforcement of navigation policy in Google Chrome on Android allows a renderer process that has been compromised to navigate the browser to arbitrary URLs through a specially crafted HTML page. The flaw does not provide full remote code execution, but it undermines the sandbox by allowing a malicious renderer to redirect the user to sites that would otherwise be blocked, potentially delivering further attacks or phishing content.

Affected Systems

All Android installations of Google Chrome earlier than version 149.0.7827.53 are vulnerable. The issue resides in the navigation handling code within the renderer process of the Chromium engine for mobile devices.

Risk and Exploitability

The official CVSS score is not provided, and EPSS data is unavailable, which suggests the exploitation probability is not quantified. The vulnerability is not listed in the CISA KEV catalog. A remote adversary must first gain control of the renderer process—typically via a malicious webpage or application—before abusing the navigation policy. Once this foothold is achieved, the attacker can trigger navigation to unrestricted destinations in a way that bypasses the intended restrictions.

Generated by OpenCVE AI on June 5, 2026 at 01:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Google Chrome on Android to version 149.0.7827.53 or later
  • Avoid installing unknown or untrusted applications that may compromise the renderer process
  • Apply enterprise or device-level policies to restrict navigation to approved domains

Generated by OpenCVE AI on June 5, 2026 at 01:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 05 Jun 2026 01:45:00 +0000

Type Values Removed Values Added
Title Navigation Policy Bypass via Crafted HTML in Chrome Android

Fri, 05 Jun 2026 01:15:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Thu, 04 Jun 2026 23:45:00 +0000

Type Values Removed Values Added
Description Insufficient policy enforcement in Navigation in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to bypass navigation restrictions via a crafted HTML page. (Chromium security severity: Low)
Weaknesses CWE-20
References

Subscriptions

Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-04T23:06:19.283Z

Reserved: 2026-06-04T17:11:16.144Z

Link: CVE-2026-11287

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-05T00:17:06.187

Modified: 2026-06-05T00:17:06.187

Link: CVE-2026-11287

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T01:30:25Z

Weaknesses