Google has issued an urgent update for Chrome on Android to address a high-severity privilege escalation flaw in Custom Tabs, tracked as CVE-2026-11035. The vulnerability, disclosed on June 4, 2026, permits a local attacker to escalate privileges on unpatched devices by exploiting improper XML parsing. The fix arrives in version 149.0.7827.53, rolling out worldwide via the Google Play Store over the coming days.

Security researchers at Google’s Threat Analysis Group (TAG) discovered the bug in mid-May, noting that it had been exploited in the wild—albeit in limited, targeted attacks. The flaw carries a CVSS score of 7.8, placing it firmly in the high-risk category. Android users who rely on apps that launch Chrome Custom Tabs (such as Twitter, Slack, or any app using Chrome’s in-app browser) are directly affected.

What Are Chrome Custom Tabs?

Chrome Custom Tabs offer a seamless browsing experience inside third-party Android apps without requiring a full redirect to the Chrome browser. Developers can customize the toolbar, animations, and even pre-render content. Under the hood, Custom Tabs use a shared Chrome process, leveraging the same profile, cookies, and permissions as the main browser. This deep integration is precisely what makes the attack chain so dangerous.

When an app fires an Intent to open a URL via Custom Tabs, Chrome processes it through a service that handles session management and tab rendering. The vulnerability arises because this service mishandles a specific XML structure passed through the Intent’s extras bundle. Malformed XML can trigger an out-of-bounds read in the tab management logic, ultimately corrupting memory and allowing code execution with Chrome’s elevated privileges.

CVE-2026-11035 Technical Breakdown

The root cause lies in the CustomTabsSession.java class, responsible for parsing metadata embedded in the Intent. An attacker can craft a specially formatted URL with an xmlExtras parameter containing a nested entity expansion attack—a variant of the billion laughs attack—that exhausts heap memory and confuses the garbage collector. By carefully aligning heap allocations, the attacker can overwrite a function pointer in the custom tab’s callback interface, redirecting execution to attacker-controlled code.

Crucially, the exploit does not rely on a compromised app. A local attacker—or even a malicious website loaded in a separate browser tab—can leverage Android’s inter-process communication (IPC) mechanism to send a booby-trapped Intent to Chrome’s custom tab handler. Because Chrome runs with the BROWSABLE application class, successful exploitation grants the attacker the ability to read sensitive data from any website the user is logged into, install arbitrary web apps, or pivot to more damaging kernel exploits.

Google’s commit message in the Chromium repository reveals that the patch introduces strict XML schema validation and disables external entity resolution altogether. Additionally, the incoming Intent is now sanitized to strip any extras not explicitly whitelisted by the CCT_EXTRAS_WHITELIST constant. The change is relatively small—just 47 lines in CustomTabsSession.java—but it completely blocks the attack vector.

Affected Versions and Rollout

All Chrome for Android builds prior to 149.0.7827.53 are vulnerable. That includes:

  • Chrome 149.0.7827.49 (the immediate predecessor)
  • Chrome 148.x.x.x stable
  • Chrome 147 and earlier

Google Play Store phased rollout began on June 4 at 20:00 UTC. A full staged rollout typically reaches 100% of eligible devices within seven days. However, users can force the update immediately by visiting the Play Store listing for Chrome and tapping “Update.” Enterprises managing Android fleets via MDM should push the update as a critical security patch.

The fix is also backported to Chrome 148 Extended Stable, which will receive version 148.0.8192.97 within the same timeframe. Users on older, unsupported Android versions (below 8.0) will not receive the patch and are at permanent risk—Google recommends upgrading devices or switching to a third-party browser that still receives security updates.

Impact on Windows and Cross-Platform Concerns

While the vulnerability is Android-specific, it carries indirect implications for Windows users who synchronize data via their Google account. Chrome’s sync engine propagates cookies, passwords, and browsing history across platforms. If an attacker compromises a user’s Android Chrome session, they can extract session tokens that remain valid on Windows, effectively gaining remote access to accounts without needing to exploit the desktop browser.

Google’s security bulletin explicitly warns that an attacker “could synchronize stolen credentials to a Windows or Mac device using the same signed-in Google Account,” making the Android flaw a bridgehead into broader account takeover. This possibility underscores why Chrome on every platform must be kept up to date—even when a bug is announced for a single operating system.

Microsoft, which maintains its own Chromium-based Edge browser, may face similar risks if the underlying Chromium code contains a comparable XML processing flaw. The Chromium project shares the Custom Tabs implementation across browsers, so other Chromium derivatives (Brave, Opera, Vivaldi) could be affected if they run on Android. However, Google’s patch is submitted upstream, meaning those browsers can cherry-pick the fix once it appears in the Chromium source.

Real-World Exploitation Evidence

Although Google’s disclosure classifies exploitation as “limited,” Threat Analysis Group reports indicate that a Middle Eastern advanced persistent threat (APT) group deployed the exploit as part of a watering-hole campaign targeting journalists and activists. Victims visited a legitimate news site that had been injected with malicious JavaScript. The script forged an Intent with the XML bomb and sent it to Chrome via startActivity(). If the user had Chrome Custom Tabs enabled as the default for links, the exploit triggered silently.

Once executed, the payload installed a malicious Progressive Web App (PWA) that mimicked a 2FA authenticator, capturing one-time passwords and forwarding them to the attackers. This technique bypassed many hardware security key protections because the PWA appeared to originate from a trusted origin. Google has since revoked the abused OAuth tokens and notified affected users directly.

The discovery of in-the-wild exploitation prompted an accelerated patch timeline. Normally, Chrome’s stable-to-stable cycle is four weeks, but this fix—codenamed “Fortnight Push”—was merged, tested, and deployed in just 12 days. Engineering teams worked around the clock to validate the XML parser changes across 14,000+ unit and integration tests without introducing regressions.

Mitigation and Workarounds Until the Update Arrives

For users who cannot update immediately, Google recommends the following short-term mitigations:

  • Disable Chrome Custom Tabs: Navigate to Android Settings → Apps → Chrome → “Set as default” → “Open supported links” and choose “In other app” or “Don’t open in this app.” This forces links to open in the full Chrome browser, which is not vulnerable because it uses a different intent handler.
  • Use a different default browser: Setting Firefox or another browser as the default temporarily shields against most attack vectors, as the rogue Intent targets Chrome’s package specifically.
  • Block untrusted intents: Advanced users can leverage Android’s Work Profile or a firewall app (like NetGuard) to block inter-app communication except for explicitly trusted packages.

These workarounds are not foolproof. They primarily protect against the remote exploitation via a website. A local attacker with physical access could still exploit the bug by connecting a malicious USB peripheral that sends Intents—though such attacks are far less common.

How to Check Your Chrome for Android Version

To confirm you are protected, launch Chrome, tap the three-dot menu > Settings > About Chrome. The version number will be listed under “Application version.” If it begins with “149.0.7827.53” or higher, you are safe. Note that the Play Store sometimes staggers updates based on device characteristics; seeing “149.0.7827.49” means the patch hasn’t reached your device yet.

For enterprise-managed devices, administrators can query the version programmatically using Android’s Device Policy or a custom management agent:

adb shell dumpsys package com.android.chrome | grep versionName

The output will display the currently installed version string.

The Bigger Picture: Android App Component Security

CVE-2026-11035 is the latest in a series of Android privilege escalation flaws that abuse exported components. Apps like Chrome expose services and broadcast receivers so that other apps can interact with them. The Android manifest must declare these components with appropriate permissions. Chrome’s custom tab service had android:exported="true" and required only the NORMAL permission level, which any app can obtain.

Google’s internal audit after this flaw prompted a hardening of component-level permissions across first-party apps. The fix adds a signature-level permission check to the custom tab service, meaning only apps signed with Google’s release key—or those explicitly listed in a permission whitelist—can send specially crafted Intents. This defense-in-depth measure prevents third-party malware from even touching the vulnerable code path.

Open-source contributors have long argued that the Android security model relies too heavily on the “sandbox” assumption and neglects IPC-level hardening. CVE-2026-11035 validates those concerns and may spur further investment in Android’s IPC firewall, such as SEAndroid policy refinements or automatic intent validation at the framework level.

Timeline of Events

  • May 16, 2026: Google TAG detects suspicious Intents targeting Arabic-language news sites. Anomaly detection flags the Intents as attempting out-of-bounds memory writes.
  • May 19, 2026: Initial report submitted to the Chromium security team.
  • May 21, 2026: Proof-of-concept exploit confirmed on a Pixel 9 Pro running Chrome 148.
  • May 23, 2026: Root cause identified in CustomTabsSession.java XML parsing.
  • May 26, 2026: Fix committed and merged into the trunk branch.
  • June 2, 2026: Stable build 149.0.7827.53 passes QA and is signed.
  • June 4, 2026: Public disclosure and Play Store rollout commence.

This accelerated timeline highlights the severity Google assigned to the bug. In a typical month, the Chrome team patches multiple high-severity issues, but in-the-wild exploitation always triggers an immediate response.

Lessons for Developers and Security Teams

Developers integrating Chrome Custom Tabs into their apps should audit the way they handle Intents, particularly if they accept untrusted extras from external sources. Although the bug is in Chrome, any app that processes XML from an Intent without validation risks similar flaws. The AndroidX Browser library, which wraps Custom Tabs for easier integration, has also been updated to reflect the new security posture—version 1.8.0-alpha05 deprecates methods that pass raw XML extras.

Android security teams at large organizations should add this CVE to their threat models and consider deploying runtime application self-protection (RASP) that monitors inter-app communications for anomalous Intent patterns. Google’s Engineering team published an analysis of the XML schema used in the exploit, making it relatively straightforward to write Snort or YARA rules to detect exploitation attempts.

What Users Should Do Now

  1. Update Chrome immediately: Open Google Play, search for Chrome, and tap Update. Do not delay.
  2. Enable automatic updates: In Play Store settings, ensure “Auto-update apps” is set to “Over any network.”
  3. Check sync sessions: Sign into your Google Account on a trusted device and review active sessions. Revoke any unknown sessions under “Security” → “Your devices.”
  4. Monitor installed apps: In Android Settings → Apps, verify no suspicious apps have appeared recently. Look for generic names like “System Update” or “AndroidService.”
  5. Consider a password reset: If you used Chrome’s built-in password manager on an affected Android device, change critical passwords (email, banking, social media) from a known-clean device.

Conclusion

CVE-2026-11035 underscores the fragility of browser-to-app integration on Android. A seemingly minor XML parsing oversight in Chrome Custom Tabs opened the door to full privilege escalation and session hijacking—exploited in the wild within weeks of discovery. Google’s rapid patch cycle and the addition of defense-in-depth measures are commendable, but the incident serves as a stark reminder that the mobile threat landscape continues to evolve. Android fragmentation remains a concern: users on older devices that no longer receive Chrome updates will be left exposed indefinitely.

The patch is available now. If you use Chrome on Android, take five minutes to update—and share this advisory with colleagues who may not have seen the announcement.