Chrome Android CVE-2026-11172: Patch Critical Contact Picker Spoofing Flaw

Google has disclosed CVE-2026-11172, a medium-severity vulnerability in Chrome for Android that allows a remote attacker to spoof the Contact Picker security UI. Published on June 4, 2026, the flaw affects all versions of Chrome on Android prior to 149.0.7827.53. By exploiting incorrect UI behavior, an attacker can trick users into granting access to their contacts without realizing they are interacting with a malicious site.

The Vulnerability

CVE-2026-11172 resides in the Chromium Contact Picker implementation. When a website requests access to a user’s contacts, Chrome displays a permission prompt with origin information—the site’s URL or domain—to help users make an informed decision. This vulnerability allows an attacker to manipulate that prompt, making it appear as if the request originates from a trusted source. The flaw stems from insufficient security checks in the UI rendering, potentially enabling a remote attacker to overlay or spoof the origin display.

Google’s security advisory classifies the issue as medium severity, but its practical impact can be severe in targeted attacks. The CVSS score is not yet assigned, but it likely falls between 4.0 and 6.9 given the medium rating. The vulnerability was discovered internally and has not been observed in active exploitation as of the disclosure date.

Technical Details

While the full technical breakdown is restricted until most users have updated, the vulnerability involves the contacts permission API and the contacts-picker feature. In Chrome, the Contact Picker dialog uses a system UI overlay with the origin string. The bug allows a crafted page to interfere with that origin display, possibly through timing attacks or CSS manipulation, causing the UI to show a different origin than the actual requesting site.

This is not a traditional code-execution flaw but a UI spoofing vulnerability. It undermines user trust in the browser’s security indicators, a class of issue that Google has increasingly patched over the years. Similar spoofing bugs (e.g., CVE-2020-6457, CVE-2021-30515) have been used in social-engineering campaigns to harvest sensitive data.

Threat Landscape

UI spoofing attacks are potent because they bypass technical controls by exploiting human psychology. In this scenario, an attacker could create a malicious website that mimics a legitimate service—say, a popular delivery app or business card scanner. When a user visits the site, it triggers the Contact Picker, but the prompt displays a trusted domain like google.com or outlook.com. Convinced the request is genuine, the user grants access, unwittingly exposing all stored contacts.

From the attacker’s perspective, the harvested contacts are not just names and numbers. They include email addresses, street addresses, and custom labels that reveal relationships (e.g., "Mom", "Client X"). This data fuels spear-phishing, identity theft, and corporate espionage. On Android devices used for work, the contacts often sync with enterprise directories, making a breach far more damaging than a personal leak.

Mobile browsers are particularly vulnerable to UI spoofing because screen real estate is limited, and users are conditioned to tap through prompts quickly. Chrome for Android’s dominance—over 65% of mobile browsing—makes it the primary target for such attacks.

Enterprise Risks

For organizations, this vulnerability is a compliance and data-protection nightmare. Many enterprises allow employees to use personal Android devices for work under BYOD policies, often with a corporate container or MDM profile. Chrome is typically the default browser, and users sync business contacts from Exchange, Google Workspace, or third-party CRMs. A single compromised device can leak thousands of business contacts.

Regulatory fines under GDPR, CCPA, or industry standards like PCI-DSS can follow a preventable data breach. Beyond financial penalties, the loss of client trust and competitive intelligence can have lasting consequences. Attackers often sell contact databases on dark web markets, where they are used for targeted social engineering months later.

Furthermore, the medium severity label might lull IT teams into complacency. Unlike a critical RCE that demands immediate patching, medium-severity flaws sometimes linger unpatched for weeks. However, given the straightforward exploit vector—just visiting a website—this vulnerability warrants the same urgency.

Mitigation Steps

Immediate Patch

Google has fixed the flaw in Chrome for Android version 149.0.7827.53, released on June 4, 2026. All users must update immediately. Enterprises should verify that all managed Android devices have auto-update enabled and are running this version or later.

Check and update:
- Open the Google Play Store on the Android device.
- Search for "Chrome" and tap "Update" if available.
- Verify the version by navigating to chrome://version in the address bar.

Enterprise Deployment

IT administrators can enforce updates through mobile device management (MDM) platforms:
- Microsoft Intune: Set a minimum Chrome version policy and require updates within 24 hours.
- VMware Workspace ONE: Use app management to push the latest Chrome APK.
- Google Admin console: For managed Chrome browsers on Android, configure force-install with the minimum version.

Additionally, consider these hardening measures:
- Disable the Contact Picker API via policy: Set DefaultContactPickerSetting to 2 (Do not allow any site to use the Contact Picker). This is a blunt instrument but eliminates the attack surface entirely.
- Site isolation: Enable strict site isolation (chrome://flags#enable-site-per-process) to reduce the likelihood of cross-origin UI manipulation, though it does not directly fix this bug.
- Content settings: Use URLBlocklist to restrict access to high-risk sites that might employ this attack.

User Education

No patch can replace security awareness. Inform employees about the risks of granting contact permissions, especially on mobile devices. Advise them to:
- Scrutinize the origin in permission prompts—if it looks odd, deny and report.
- Avoid granting contact access to websites they do not explicitly trust.
- Report any phishing attempts to IT immediately.

The Bigger Picture

CVE-2026-11172 is a reminder that browser security is not only about patching memory corruption bugs. UI spoofing vulnerabilities are a persistent threat because they target the human element, which is harder to update. Chrome’s security team has invested in Project Zero-style fuzzing and manual audits, but the complexity of the web platform ensures a steady stream of such issues.

With the increasing push toward Progressive Web Apps (PWAs) and richer web APIs, contact access is becoming more common. Enterprises relying on web-based CRM tools, customer support portals, or collaboration platforms must assume these APIs will be targeted. A shift to zero-trust principles in browser permissions—requiring re-verification for each sensitive action—could mitigate the impact of future spoofing bugs.

Google’s rapid disclosure and patch are commendable, but the onus is on organizations to deploy updates without delay. In an era where mobile devices access corporate data, a single unpatched browser can be the breach point. For security teams, CVE-2026-11172 should be a catalyst to review patch management for mobile browsers and audit contact-sharing practices across the workforce.