Skip to main content

Google Chrome iOS CVE-2026-11280

| EUVDEUVD-2026-34741 MEDIUM
Improper Input Validation (CWE-20)
2026-06-05 chrome-cve-admin@google.com GHSA-hgx4-2wp8-x7xc
4.3
CVSS 3.1 · Vendor: google
Share

Severity by source

Vendor (google) PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
SUSE
MEDIUM
qualitative
Red Hat
4.3 LOW
qualitative

Primary rating from Vendor (google).

CVSS VectorVendor: google

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

4
Analysis Generated
Jun 05, 2026 - 20:56 vuln.today
CVSS changed
Jun 05, 2026 - 20:22 NVD
4.3 (MEDIUM)
CVE Published
Jun 05, 2026 - 00:17 nvd
MEDIUM 4.3
CVE Published
Jun 05, 2026 - 00:17 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

Inappropriate implementation in Signin in Google Chrome on iOS prior to 149.0.7827.53 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)

AnalysisAI

UI spoofing in Google Chrome on iOS (prior to 149.0.7827.53) allows an unauthenticated remote attacker to present a deceptive interface to users by serving a crafted HTML page, specifically targeting the Signin flow. The root cause is an inappropriate implementation classified under CWE-20 (Improper Input Validation), meaning Chrome fails to sufficiently validate or constrain inputs that influence the rendered signin UI. No public exploit code exists and no active exploitation has been confirmed; EPSS of 0.05% (15th percentile) indicates very low near-term exploitation probability, consistent with the Low Chromium severity rating.

Technical ContextAI

The vulnerability resides in the Signin component of Google Chrome on iOS, distinct from the desktop Chromium codebase, implying platform-specific rendering or input-handling behavior on Apple's WebKit/iOS environment. CWE-20 (Improper Input Validation) as the root cause class indicates that attacker-controlled input - delivered via a crafted HTML page - is not adequately sanitized or constrained before influencing the signin UI rendering logic. This category of flaw frequently manifests as address bar spoofing, tab UI manipulation, or overlay abuse in mobile browsers, where OS-level constraints and browser chrome boundaries differ from desktop. The affected CPE scope is Google Chrome on iOS versions prior to 149.0.7827.53, as confirmed by the EUVD entry EUVD-2026-34741.

RemediationAI

Update Google Chrome on iOS to version 149.0.7827.53 or later, available through the Apple App Store. This is the vendor-released patch confirmed by the stable channel update advisory at http://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html. No workarounds are documented for this specific flaw. As an interim measure for high-security environments, users can be instructed to manually verify the URL and certificate in the address bar before entering credentials on any signin page encountered while browsing, since this mitigates the practical impact of UI spoofing without requiring an immediate update. Enabling automatic app updates on iOS devices will ensure Chrome is kept current without manual intervention.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
openSUSE Tumbleweed Fixed

Share

CVE-2026-11280 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy