Skip to main content

Google Chrome EUVDEUVD-2026-34751

| CVE-2026-11290 MEDIUM
External Control of Assumed-Immutable Web Parameter (CWE-472)
2026-06-05 chrome-cve-admin@google.com GHSA-32x7-f6p3-x83q
5.0
CVSS 3.1 · Vendor: google
Share

Severity by source

Vendor (google) PRIMARY
5.0 MEDIUM
AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H
SUSE
3.1 LOW
AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H
Red Hat
5.0 LOW
qualitative

Primary rating from Vendor (google).

CVSS VectorVendor: google

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

3
Analysis Generated
Jun 05, 2026 - 21:00 vuln.today
CVSS changed
Jun 05, 2026 - 20:22 NVD
5.0 (MEDIUM)
CVE Published
Jun 05, 2026 - 00:17 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

Integer overflow in WebView in Google Chrome on Android prior to 149.0.7827.53 allowed a local attacker to cause a denial of service via a malicious file. (Chromium security severity: Low)

AnalysisAI

Integer overflow in the WebView component of Google Chrome on Android (prior to 149.0.7827.53) allows a local, low-privileged attacker to crash the application via a crafted malicious file, resulting in a denial of service. The attack requires user interaction - the victim must open or process the malicious file through a WebView-rendered surface. No public exploit code has been identified at time of analysis, and the EPSS score of 0.01% (1st percentile) indicates extremely low real-world exploitation probability; the vendor has rated this Low severity.

Technical ContextAI

WebView is an Android system component that embeds a Chromium-based browser engine inside native Android applications, allowing apps to render web content inline. The vulnerability is an integer overflow in this component, meaning an arithmetic operation produces a value exceeding the bounds of its integer type, leading to unexpected behavior - in this case, a crash causing denial of service. The assigned CWE is CWE-472 ('External Control of Assumed-Immutable Web Parameter'), which describes a mismatch from the stated 'integer overflow' root cause; CWE-190 ('Integer Overflow or Wraparound') would be the canonical classification for this type of flaw. This discrepancy between the natural language description and the CWE tag is a notable inconsistency that should be verified against Chromium bug tracker issue 502264647. Affected product is Google Chrome for Android, specifically all versions of the browser's WebView implementation prior to the 149.0.7827.53 stable channel release.

RemediationAI

Upgrade Google Chrome on Android to version 149.0.7827.53 or later, as confirmed by the vendor's stable channel update advisory at https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html. Users should update via the Google Play Store. Since the vulnerability requires local access and user interaction with a malicious file, organizations with managed Android fleets can reduce exposure in the interim by applying mobile device management (MDM) policies that restrict sideloading of untrusted files and limit the sources from which files can be opened in Chrome WebView. Disabling or restricting WebView usage in enterprise applications for untrusted content sources is a targeted compensating control, though this may break functionality in apps that depend on WebView for core features. Given the low severity and lack of known public exploitation, patching through normal update cycles is appropriate rather than emergency response.

Vendor StatusVendor

SUSE

Severity: Low
Product Status
openSUSE Tumbleweed Fixed

Share

EUVD-2026-34751 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy