CVE-2026-11175 Google CVE debrief

Who should care

Users of Google Chrome on Android, particularly those who use the Messages feature, should be aware of this vulnerability. IT administrators and security teams responsible for managing Chrome deployments should prioritize patching to prevent potential UI spoofing attacks.

Technical summary

The vulnerability, CVE-2026-11175, is caused by incorrect security UI in Messages in Google Chrome on Android prior to version 149.0.7827.53. This allows a remote attacker to perform UI spoofing via a crafted HTML page. The CVSS vector for this vulnerability is CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, indicating that the attack vector is network-based, requires low attack complexity, no privileges, user interaction, and can impact confidentiality, integrity, and availability.

Defensive priority

High

Recommended defensive actions

• Update Google Chrome on Android to version 149.0.7827.53 or later to patch the vulnerability.
• Ensure that Chrome is configured to automatically update to the latest version.
• Be cautious when interacting with links or pages from unknown sources, as they may be crafted to exploit this vulnerability.

Evidence notes

The CVE record and NVD detail can be found at [cve-org] and [nvd], respectively. Additional information and mitigation guidance can be found in the vendor advisory at [ref-4].

Official resources