Skip to main content

Chrome for iOS CVE-2026-11277

| EUVDEUVD-2026-34738 MEDIUM
Improper Access Control (CWE-284)
2026-06-05 chrome-cve-admin@google.com GHSA-2qm3-qr87-f567
4.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
SUSE
MEDIUM
qualitative
Red Hat
4.3 LOW
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

4
Analysis Generated
Jun 05, 2026 - 20:55 vuln.today
CVSS changed
Jun 05, 2026 - 20:22 NVD
4.3 (MEDIUM)
CVE Published
Jun 05, 2026 - 00:17 nvd
MEDIUM 4.3
CVE Published
Jun 05, 2026 - 00:17 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

Insufficient policy enforcement in Chrome for iOS in Google Chrome on iOS prior to 149.0.7827.53 allowed a remote attacker to bypass discretionary access control via a crafted HTML page. (Chromium security severity: Low)

AnalysisAI

Insufficient policy enforcement in Google Chrome for iOS (prior to 149.0.7827.53) enables remote attackers to bypass discretionary access controls by directing a victim to a crafted HTML page. The CVSS vector (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N) confirms the attack is network-reachable, requires no authentication, and produces a limited integrity impact with no confidentiality or availability consequences. No public exploit has been identified at time of analysis, and the EPSS score of 0.02% (4th percentile) reflects very low exploitation probability; Chromium internally rated this Low severity.

Technical ContextAI

The affected component is Chrome's iOS-specific policy enforcement layer, which governs discretionary access control (DAC) decisions within the browser sandbox. CWE-284 (Improper Access Control) identifies the root cause as a failure to consistently apply security policies - a class of bug that commonly arises when a platform-specific code path (here, the iOS port of Chromium) diverges from the reference implementation's access control logic. Affected versions are all Chrome for iOS releases prior to 149.0.7827.53, as confirmed by the EUVD affected-version range 'Chrome 149.0.7827.53 <149.0.7827.53'. No CPE string was provided in the input data; the product scope is limited to the iOS platform variant of Chrome and does not affect Chrome on other operating systems based on available information.

RemediationAI

Update Google Chrome for iOS to version 149.0.7827.53 or later, which contains the vendor-released patch for this issue. The fix is documented in the Chrome Stable Channel Update advisory at http://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html. Users on iOS should apply the update via the App Store. Because the CVSS scope is Unchanged (S:U) and impact is limited to integrity (I:L), no emergency out-of-band response is required for most organizations; inclusion in the next routine patch cycle is appropriate. No explicit workarounds are documented in available references. If immediate update is not operationally feasible, restricting access to untrusted web content via MDM-managed URL filtering on supervised iOS devices would reduce exposure, with the trade-off of impacting general browsing functionality.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
openSUSE Tumbleweed Fixed

Share

CVE-2026-11277 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy