Cyber Resilience

CVE-2026-11172

HighUpdated

Published: 04 June 2026

Published
04 June 2026
Modified
17 June 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0023 14.3th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-11172 is a high-severity User Interface (UI) Misrepresentation of Critical Information (CWE-451) vulnerability in Google Chrome. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Spearphishing Link (T1566.002); ranked at the 14.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Incorrect security UI in Contact Picker in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1566.002 Spearphishing Link Initial Access
Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems.
T1204.001 Malicious Link Execution
An adversary may rely upon a user clicking a malicious link in order to gain execution.
Why these techniques?

UI spoofing via crafted HTML page directly facilitates spearphishing links and malicious link execution to deceive users into unintended contact sharing.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

Affected Assets

google
chrome
≤ 149.0.7827.53

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References