CVE-2026-11275 in Chrome
Summary
by MITRE • 06/05/2026
Inappropriate implementation in Page Info in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to bypass navigation restrictions via a crafted HTML page. (Chromium security severity: Low)
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 06/05/2026
This vulnerability represents a privilege escalation issue within Google Chrome's Android implementation where an attacker with compromised renderer process access could bypass navigation restrictions through malicious HTML content. The flaw exists in the Page Info component which handles information display and navigation controls for web pages. When a renderer process is compromised, typically through a previous exploit or attack vector, the attacker can craft specific HTML content that manipulates the Page Info functionality to circumvent intended security boundaries. The vulnerability stems from inadequate validation of navigation requests within the page information interface, allowing unauthorized redirection attempts that should normally be restricted. This issue falls under the category of improper access control where the system fails to properly enforce navigation restrictions that are typically enforced at the browser level. The security impact is categorized as low severity by Chromium standards, indicating it does not directly enable arbitrary code execution or full system compromise, but rather allows for navigation bypass that could potentially facilitate further attacks. The vulnerability affects all Android versions of Chrome prior to 149.0.7827.53, representing a window of exposure where users were susceptible to navigation manipulation attacks. From a cybersecurity perspective, this aligns with attack patterns documented in the attack tree model where compromised processes can be leveraged to expand attack surface through application-level flaws. The vulnerability demonstrates a breakdown in the principle of least privilege where the Page Info component should not allow navigation bypass regardless of process state. This issue is particularly concerning in environments where mobile browser security is paramount, as it could enable attackers to redirect users to malicious sites or manipulate browser navigation in ways that compromise user experience and security. The flaw likely involves insufficient input sanitization or improper state management within the Page Info component's navigation handling mechanism. Organizations should consider this vulnerability in their threat modeling exercises as it represents a potential vector for attackers to extend their reach beyond initial compromise boundaries. The fix implemented in version 149.0.7827.53 would have addressed the navigation restriction bypass by strengthening validation checks within the Page Info component and ensuring proper enforcement of navigation boundaries even when processes are compromised. This vulnerability type is consistent with common web application security issues documented in owasp top ten and aligns with CWE categories related to access control and improper input validation. The remediation would have involved implementing stricter access controls and ensuring that navigation restrictions are enforced regardless of the process state or attacker capabilities within the renderer. Security teams should prioritize updating affected Android Chrome installations to prevent exploitation of this navigation bypass vulnerability that could serve as a stepping stone for more sophisticated attacks targeting mobile browser environments.