Google has disclosed CVE-2026-11097, a medium-severity data leak vulnerability in Chrome for Android’s WebView component. The flaw, published June 4, 2026, affects versions prior to 149.0.7827.53 and could let a remote attacker read sensitive data from a device’s web storage. Users must update immediately to the patched version, but the real story extends beyond the fix: inconsistent CPE identifiers are leaving asset inventories blind, and many organizations still lack adequate visibility into mobile browser components.

What is CVE-2026-11097?

The vulnerability resides in WebView, the system component that renders web content inside Android apps. Attackers can craft a malicious webpage that, when loaded in any app using the vulnerable WebView, exploits an insufficient validation flaw in the WebStorage API. This bypasses the same-origin policy and allows exfiltration of data from other sites’ local storage.

Google’s advisory states the bug was reported by an external researcher on April 12, 2026. The Chrome team rated it as medium severity (CVSS 5.3) because it requires user interaction—the victim must visit a specially crafted link—and cannot be triggered without the user opening the page. However, security researchers have long warned that WebView vulnerabilities can be especially dangerous because they affect not just the browser but every app that embeds web content, including banking, productivity, and social media applications.

Affected Versions

  • Chrome for Android before 149.0.7827.53
  • Any Android application embedding a WebView with a Chrome version older than that patch level

The fix is included in the Chrome 149.0.7827.53 update, which began rolling out via Google Play on June 4, 2026. The patch implements proper origin checks when reading and writing web storage from cross-origin iframes.

The Real-World Impact

Though rated medium, the exploitability is significant in targeted attacks. An attacker could host a phishing page that, when opened in a chat app’s built-in browser, silently harvests authentication tokens from the victim’s previously visited sites. This isn’t theoretical: similar WebView flaws have been used in the wild to siphon OAuth tokens and session cookies.

Mobile security teams should prioritize this patch because:

  • Ubiquity: WebView is the default rendering engine for Android apps unless explicitly changed. Virtually every Android 7+ device uses Chrome’s WebView.
  • Invisible attack surface: Users don’t perceive WebView as a separate app. They think they’re safely inside a trusted app, unaware that a malicious link can compromise data from other tabs or apps.
  • Delayed patching: Even after Google fixes Chrome, many Android devices receive WebView updates through system-level OTA updates that can lag by weeks. Users with auto‑update disabled remain vulnerable indefinitely.

Device administrators should check the current WebView version by navigating to Settings → Apps → Android System WebView and verifying it’s at least 149.0.7827.53.

CPE Mapping Gaps: Why You Can’t Find This CVE in Your Scanner

Vulnerability management teams scanning for CVE-2026-11097 are encountering a frustrating roadblock: missing or incorrect CPE (Common Platform Enumeration) entries. CPEs are standardized strings used by NVD (National Vulnerability Database) and most vulnerability scanners to identify affected software. If the CPE is wrong, the CVE won’t appear in reports—leaving organizations with a false sense of security.

The Problem with Chrome’s CPEs

The primary CPE for Chrome is cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*. However, this identifier historically fails to distinguish between desktop and mobile platforms. The NVD often maps Chrome for Android vulnerabilities to the same CPE as desktop Chrome, but with version ranges that don’t align because the release cadences differ. For CVE-2026-11097, the patch version 149.0.7827.53 only exists for Android; the desktop channel was on a different version at the time of disclosure. As of June 6, 2026, the NVD entry for this CVE incorrectly lists the affected product as cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:* covering versions “up to (excluding) 149.0.7827.53” without specifying android in the target software. This means a scanner checking a Windows endpoint for Chrome <149.0.7827.53 would flag it as vulnerable even though that version doesn’t exist for Windows.

Result: Security teams either ignore the alert as a false positive, or they waste time investigating a non‑issue—both outcomes erode trust in vulnerability data.

What to Do While Waiting for NVD Updates

  1. Manually add a custom CPE in your scanner: cpe:2.3:a:google:chrome:android:*:*:*:*:*:*:* with version range <149.0.7827.53. Ensure the target software field is explicitly *android*.
  2. Use software inventory tagging to separate desktop Chrome from Android WebView. Tag all Android devices with an asset group “Android_WebView” and scope the CVE check to that group.
  3. Monitor the NVD CPE feed at https://nvd.nist.gov/vuln/detail/CVE-2026-11097 for corrections. NIST typically takes 3–5 business days to fix vendor‑reported mapping issues after a CVE is published.
  4. Leverage the Chrome release blog as a source of truth: the official stable channel update post lists precisely the affected platforms and versions.

Inventory Tips: Shining a Light on WebView in Your Environment

Most asset management tools treat Chrome as a monolith. But on Android, WebView operates independently from the Chrome browser app (even though they share the same code base). From a vulnerability management perspective, you need to track both:

  • Google Chrome (the browser app)
  • Android System WebView (the system component)

These can—and often do—have different version numbers. Furthermore, many OEMs (Samsung, Xiaomi, etc.) ship their own WebView implementations based on Chromium, which may not be updated at the same pace.

Step-by-Step: Building an Accurate Inventory

1. Discover all Android devices using your EDR, MDM, or network scanner. Query for os_type:android and collect build fingerprints.

2. Extract WebView version details. Most MDMs can run a custom script to capture the version via dumpsys package com.google.android.webview. The output includes versionName=149.0.7827.xx.

3. If direct version queries are not possible, infer vulnerability by checking the Google Play System Update (GPSU) level. This update packages WebView and other components. As of June 2026, the Android Security Bulletin for the 2026-06-01 patch level includes the fix for CVE-2026-11097. Devices with that patch level (or later) are safe.

4. Differentiate between browsers and WebView. On Android 10+, WebView updates are distributed via Play Store independently from Chrome. Thus, a device might have the latest Chrome browser but an outdated WebView—or vice versa. Scan for both packages:
- com.android.chrome
- com.google.android.webview

5. Include Chromium derivatives. Microsoft Edge for Android, Brave, and Opera all use Chromium. While they might not share the exact same WebView component, they incorporate a version of the engine that could carry the flaw if not updated. Check their respective version numbers and map them to the Chromium release that fixed the issue (Chromium 149.0.7827.x).

Automating the Hunt

Tools like Tenable, Qualys, and Rapid7 have dynamic CPE detection that can identify google:chrome:android:webview if the scan data includes the package name and version. But this only works if your asset records are enriched with software titles and versions. Invest time in normalizing software discovery: create a custom software entry for “Android System WebView” and map all detected instances to it. Then create a vulnerability ticket rule that matches this custom software against CVE-2026-11097 using the version range.

For organizations using Microsoft Defender for Endpoint on Android, the “Software inventory” page automatically detects installed applications and packages. You can export a list of devices with “Android System WebView” and filter by version.

The Broader Lesson: Mobile Components as Unmanaged Risk

CVE-2026-11097 highlights a persistent blind spot: system‑level components like WebView are often omitted from vulnerability management programs. Security teams diligently patch desktops and servers but assume mobile devices are “just phones” handled by users. Yet, a single employee opening a malicious link in a work profile that uses a vulnerable WebView can lead to credential theft and lateral movement.

Forward‑looking enterprises are now incorporating Mobile Threat Defense (MTD) solutions that continuously monitor device security posture, including system app versions. When integrated with SIEM or SOAR, these tools can automatically quarantine a device if a critical WebView vulnerability is detected and unpatched.

What’s Next?

Google has not indicated whether this CVE will be addressed retroactively for Android versions that no longer receive WebView updates (e.g., devices stuck on Android 12 with WebView 122.x). The recommended course is to upgrade to a supported device or use a browser that updates independently, like Firefox for Android which uses Gecko instead of WebView.

NVD should correct the CPE mapping by mid‑June. In the meantime, security teams must rely on manual checks and custom detection rules. The vulnerability itself may be medium severity, but the operational headache caused by incomplete CPE data turns it into a high‑impact event for vulnerability management programs.

Update now, verify your asset inventory, and patch the gaps in your CPE coverage — before a real data leak forces your hand.