Google has patched a low-severity vulnerability in Chrome for Android that could have allowed malicious applications to leak sensitive data through the browser's Custom Tabs feature. Tracked as CVE-2026-11247, the flaw was disclosed on June 4, 2026, and a fix was included in Chrome version 149.0.7827.53.

The vulnerability stemmed from insufficient policy enforcement in Custom Tabs, a widely used Android API that lets apps open web content in a lightweight, customizable Chrome wrapper. While the technical details remain sparse—consistent with Google's policy of restricting access to bug reports until a majority of users are updated—the core issue revolves around how Chrome handled cross-origin requests within Custom Tabs.

What Are Chrome Custom Tabs?

Chrome Custom Tabs have become an integral part of the Android experience. Instead of forcing users out of an app to open a full browser, developers can invoke a pre-built Chrome session that loads within their own application. This session matches Chrome's theme, shares cookies, and, critically, runs with the same security sandbox as the full browser.

For users, this means a faster, more seamless browsing experience when tapping links in apps like Twitter, Reddit, or news readers. For developers, it means reduced friction—users stay in their app ecosystem. But the tight integration also means that any security gap in Custom Tabs can have an outsized impact. If a malicious app could craft a link that exploits insufficient enforcement, it could potentially access cookies, autofill data, or even login credentials from other sites.

The Insufficient Policy Enforcement Problem

Insufficient policy enforcement is a broad class of vulnerability where the browser fails to properly restrict actions based on the origin of content. In the context of Custom Tabs, this could mean that a specially crafted website loading inside a Custom Tab could bypass same-origin restrictions, set cookies for unintended domains, or read data that should be isolated.

The National Vulnerability Database (NVD) entry for CVE-2026-11247 has not yet been published as of this writing, but Google's internal severity rating of “low” suggests that exploitation requires specific conditions—perhaps user interaction or a complex chain of events. Even so, the potential for data leakage makes it a priority for enterprise and security-conscious users.

What We Know About the Exploit

Without the full technical write-up, we can only draw from the description: “insufficient policy enforcement in Custom Tabs could let a remote attacker to leak cross-origin data via a crafted HTML page.” This language mirrors past vulnerabilities in Chrome’s navigation and tab management systems. An attacker would need to trick a user into opening a link that launches a Custom Tab, then use that tab to extract information from other origins that were previously opened or stored.

In practice, an app with minimal permissions could present a link that, when tapped, opens a seemingly innocuous webpage. That page could then execute JavaScript that probes the browser’s cookie jar or cached credentials for other sites. Because Custom Tabs share Chrome’s profile, any data that is accessible to the browser—including saved passwords and payment methods—could theoretically be at risk if the policy enforcement is broken.

Google’s advisory does not indicate that this vulnerability was exploited in the wild before the patch was released. That’s the norm for low-severity issues: they are fixed proactively, often reported through the Chrome Vulnerability Rewards Program or by internal security teams.

The Patch: Chrome 149.0.7827.53

The fix landed in Chrome for Android version 149.0.7827.53, which began rolling out on June 4, 2026. The version number aligns with Chromium’s rapid release cycle, where major versions tick up roughly every four weeks. At the time of writing, the stable channel for Chrome on Android is 149, and the security patch level is current.

Users should verify that their Chrome installation is up to date. On most Android devices, Chrome updates are handled through the Google Play Store. To check:
- Open the Play Store
- Tap your profile icon > Manage apps & device
- Look for Chrome under “Updates available”
- Alternatively, open Chrome, tap ⋮ > Settings > About Chrome, and the browser will check for and apply the latest update.

Android devices with Chrome pre‑installed as a system app may receive the update through a Google Play system update, though that rollout can lag behind the Play Store delivery. Enterprise administrators using Chrome browser policy should ensure their mobile device management (MDM) prompts user updates or forces the latest version.

Wider Implications for Custom Tabs Security

This isn’t the first time Chrome Custom Tabs have been in the security spotlight. Because Custom Tabs share the same cookie jar and login state as the full browser, any bug that weakens origin isolation can have serious privacy consequences. In 2024, a similar medium‑severity issue allowed cross‑origin cookie injection through improperly validated intents.

For developers using Custom Tabs in their apps, the patch offers reassurance but also a reminder: third‑party software libraries like androidx.browser must be kept current to ensure they invoke the latest Chrome features and security fixes. Older apps that pin a specific version of Custom Tabs support library could leave users exposed, even if Chrome itself is up to date, if the session is not correctly handed off.

Google has been steadily hardening Android’s inter‑app communication model, especially after high‑profile vulnerabilities like StrandHogg. Custom Tabs rely on intents, and the Android platform now restricts which apps can hijack browsing sessions. However, the underlying browser’s enforcement of web standards remains a separate layer of defense.

What Should Windows Users Care?

You might wonder why a Windows‑focused site covers an Android Chrome bug. The answer lies in how interconnected modern ecosystems are. If you use Chrome on Windows and sync your data—bookmarks, passwords, cookies—to your Android device, a data leak on mobile could theoretically expose credentials that work on desktop services. Moreover, many Windows users run Android apps via Windows Subsystem for Android or use their Google accounts across platforms. A compromised Chrome profile on one device can be a foothold for broader account takeover if sync data is involved.

Additionally, enterprises that deploy Microsoft Edge on Android often rely on the same Chromium‑based Custom Tabs implementation. Edge for Android, like Chrome, uses Custom Tabs when third‑party apps open links if Edge is set as the default. While Microsoft has not issued a separate advisory, the Chromium bug fixes flow downstream to Edge typically within days. Edge Canary and Dev channels likely already contain the patch; stable Edge for Android should be updated to version 149.x imminently.

The Bigger Picture: Mobile Browser Patching

CVE-2026-11247 underscores the importance of timely mobile browser updates. Unlike desktop Chrome, which can update silently in the background, Android updates rely on the Play Store’s auto‑update mechanism, which some users disable to save data or battery. According to Google’s own statistics, about 23% of Android Chrome installations are not on the latest version at any given time.

For security‑conscious users, enabling automatic updates for Chrome and other critical apps is a simple but effective step. In Settings > Network preferences > Auto‑update apps, choose “Over any network” to ensure updates download even on mobile data. Combined with Google Play Protect, which scans for malicious apps, this forms a baseline defense against low‑severity threats that could be used in chained attacks.

How Google Handles Low‑Severity Vulnerabilities

Google distinguishes vulnerabilities based on their severity level: Critical, High, Medium, and Low. The rating reflects both the potential impact and the difficulty of exploitation. A Low severity typically means the bug requires specific user actions, non‑default configurations, or has limited reach. These flaws often don’t make headlines, but they are fixed as a matter of routine hygiene.

By contrast, a Critical or High‑severity bug in Chrome would trigger a more rapid and public response, often with an out‑of‑band update. CVE-2026-11247 being Low meant it was bundled with the normal four‑week release cycle. The bug bounty reward, if any, was likely in the $500–$1,000 range, typical for Low‑severity findings.

What to Do Now

  • Update Chrome immediately: On Android, open the Play Store, check for updates, and install version 149.0.7827.53 or later.
  • Verify the version: In Chrome, go to Settings > About Chrome. The version string should be 149.0.7827.53 or higher.
  • Enable automatic updates: To prevent future lags, set the Play Store to auto‑update apps over any network.
  • Review app permissions: While this bug doesn’t require app permissions to exploit, reducing the attack surface by uninstalling untrusted apps is always wise.
  • Enterprise admins: Push the latest Chrome version via MDM and verify that the Policy setting for AllowOutdatedPlugin is disabled to enforce automatic updates.

Despite the low severity, treating every patch as essential is the hallmark of a robust security posture. The next time a critical Chrome zero‑day drops—and they do, often—you’ll already have the update pipeline primed.

Looking Ahead

Google has not yet released the full bug details. According to the Chrome Releases blog, access to the bug tracker entry is restricted “until a majority of users are updated.” That could take several weeks. Once the details become public, we may learn exactly how an attacker could have crafted an HTML page to leak cross‑origin data. For now, the practical takeaway is unchanged: update your browser.

As Android continues to merge with ChromeOS and Windows integration deepens, vulnerabilities in any part of the Chromium ecosystem become everybody’s problem. CVE-2026-11247 serves as a quiet reminder that even low‑severity flaws deserve attention—because in the world of cybersecurity, today’s low impact can be tomorrow’s chain link.

Windows users who rely on Chrome or Edge across devices should treat this as a trigger to audit all their installations. Check not just Android phones but Chromebooks, Windows desktops, and tablets. A single unpatched device can undermine the security of your entire sync chain.