Skip to main content

Google Chrome iOS CVE-2026-11274

| EUVDEUVD-2026-34735 MEDIUM
Improper Access Control (CWE-284)
2026-06-05 chrome-cve-admin@google.com GHSA-p57h-48hh-w845
4.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
SUSE
MEDIUM
qualitative
Red Hat
4.3 LOW
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

4
Analysis Generated
Jun 05, 2026 - 20:54 vuln.today
CVSS changed
Jun 05, 2026 - 20:22 NVD
4.3 (MEDIUM)
CVE Published
Jun 05, 2026 - 00:17 nvd
MEDIUM 4.3
CVE Published
Jun 05, 2026 - 00:17 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

Inappropriate implementation in DOM Distiller in Google Chrome on iOS prior to 149.0.7827.53 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. (Chromium security severity: Low)

AnalysisAI

Navigation restriction bypass in Google Chrome's DOM Distiller component on iOS allows a remote attacker to circumvent page navigation controls by serving a specially crafted HTML page. Affected users are running Chrome on iOS prior to version 149.0.7827.53, and exploitation requires the victim to visit an attacker-controlled page. No public exploit identified at time of analysis and EPSS probability sits at 0.02% (4th percentile), consistent with the vendor's own 'Low' severity classification - real-world impact is limited to integrity degradation with no confidentiality or availability consequence.

Technical ContextAI

DOM Distiller is Chrome's reader-mode subsystem that parses and reformats web content into a simplified, distillation view. It operates as a privileged internal Chrome page (chrome-distiller:// scheme) and is iOS-specific in this context, meaning the flaw exists in the WebKit/Chrome-on-iOS code path rather than the Blink renderer used on desktop. CWE-284 (Improper Access Control) is the root cause class, indicating the DOM Distiller implementation fails to correctly enforce navigation boundaries - likely allowing crafted markup to redirect the distiller context to a destination that should be restricted. The affected version range is all Chrome iOS builds prior to 149.0.7827.53, as identified in the EUVD CPE data ('Chrome 149.0.7827.53 <149.0.7827.53').

RemediationAI

Vendor-released patch: Chrome 149.0.7827.53 for iOS. Users should update Chrome on iOS to version 149.0.7827.53 or later via the Apple App Store; this is the primary and recommended fix. The advisory is published at https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html. No workarounds are documented by the vendor. As an interim compensating control for environments where immediate update is not possible, disabling Reader Mode (DOM Distiller) by setting chrome://flags/#dom-distiller to Disabled would remove the vulnerable code path, though this trades off the reader-mode usability feature. Given the low severity and limited impact, emergency compensating controls are unlikely to be warranted for most organizations.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
openSUSE Tumbleweed Fixed

Share

CVE-2026-11274 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy