Skip to main content

Google Chrome Android EUVDEUVD-2026-34739

| CVE-2026-11278 MEDIUM
Origin Validation Error (CWE-346)
2026-06-05 chrome-cve-admin@google.com GHSA-3483-cg54-gpx2
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
SUSE
MEDIUM
qualitative
Red Hat
3.3 LOW
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

4
Analysis Generated
Jun 05, 2026 - 20:56 vuln.today
CVSS changed
Jun 05, 2026 - 20:22 NVD
6.5 (MEDIUM)
CVE Published
Jun 05, 2026 - 00:17 nvd
MEDIUM 6.5
CVE Published
Jun 05, 2026 - 00:17 nvd
UNKNOWN (no severity yet)

DescriptionNVD

Inappropriate implementation in CustomTabs in Google Chrome on Android prior to 149.0.7827.53 allowed a local attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low)

AnalysisAI

Cross-origin data leakage via Chrome's CustomTabs component on Android exposes confidential web content to attackers who can deliver a crafted HTML page to a victim. Affected versions are all Chrome for Android releases prior to 149.0.7827.53. Despite Chromium's internal 'Low' severity rating, the CVSS confidentiality impact is scored High (C:H), and user interaction is required (UI:R) - meaning exploitation depends on a victim opening attacker-controlled content. No public exploit code exists and no active exploitation has been identified; EPSS at 0.01% (1st percentile) corroborates low near-term exploitation likelihood.

Technical ContextAI

CustomTabs is a Chrome for Android API that allows third-party applications to open web content within a Chrome-rendered browser session while retaining app UI context. The vulnerability is rooted in CWE-346 (Origin Validation Error), a class of flaws where the implementation fails to adequately verify or enforce the origin boundary of content or data. In this case, an inappropriate implementation within the CustomTabs subsystem permits a crafted HTML page to read or infer data belonging to a different origin - violating the Same-Origin Policy. The affected component is specific to the Android platform; desktop Chrome is not implicated. The exact CPE from EUVD-affected-version data is Google Chrome on Android versions prior to 149.0.7827.53.

RemediationAI

The vendor-released patch is Chrome for Android version 149.0.7827.53, confirmed via the Chromium stable channel advisory at http://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html. Users and administrators should update Chrome on Android devices to 149.0.7827.53 or later through the Google Play Store or managed MDM update policies. If immediate patching is not possible, a compensating control is to restrict or disable third-party application use of the CustomTabs API for apps handling sensitive cross-origin sessions - this limits the attack surface to the Chrome browser itself rather than embedded contexts. Additionally, user awareness to avoid visiting untrusted HTML pages reduces the UI:R prerequisite. Note that restricting CustomTabs may break app functionality for applications that rely on it for in-app browsing.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
openSUSE Tumbleweed Fixed

Share

EUVD-2026-34739 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy