PatchSiren cyber security CVE debrief
CVE-2026-11172 Google CVE debrief
CVE-2026-11172 is a vulnerability in Google Chrome on Android, specifically affecting the Contact Picker feature. The vulnerability, with a CVSS score of 8.8, allowed a remote attacker to perform UI spoofing via a crafted HTML page. This issue was addressed in Google Chrome version 149.0.7827.53.
- Vendor
- Product
- Chrome
- CVSS
- HIGH 8.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-04
- Original CVE updated
- 2026-06-08
- Advisory published
- 2026-06-04
- Advisory updated
- 2026-06-08
Who should care
Users of Google Chrome on Android, particularly those who use the Contact Picker feature, should be aware of this vulnerability and ensure they are running version 149.0.7827.53 or later.
Technical summary
The vulnerability, described as 'Incorrect security UI in Contact Picker,' was caused by inadequate security controls in the Contact Picker feature of Google Chrome on Android. This allowed attackers to craft HTML pages that could spoof the UI, potentially leading to confusion or further malicious actions.
Defensive priority
High
Recommended defensive actions
- Update Google Chrome to version 149.0.7827.53 or later to mitigate this vulnerability.
- Be cautious when interacting with links or pages from unknown sources, especially those that request access to contacts.
Evidence notes
This CVE was published on [cvePublishedAt] and modified on [cveModifiedAt]. The vulnerability was reported and addressed by Google, with additional details available through their official channels.
Official resources
-
CVE-2026-11172 CVE record
CVE.org
-
CVE-2026-11172 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
-
Source reference
[email protected] - Permissions Required
CVE-2026-11172 was published on 2026-06-04T23:17:23.990Z and modified on 2026-06-08T14:21:40.090Z.