Google has patched a serious Chrome for Android vulnerability, CVE-2026-11108, that could allow a remote attacker to escape the browser’s sandbox and escalate privileges on the device via a flaw in the Near Field Communication (NFC) implementation. The fix is included in Chrome version 149.0.7827.53, released on June 4, 2026, and users are urged to update immediately.

What Exactly Is CVE-2026-11108?

CVE-2026-11108 is a high‑severity vulnerability residing in the way Chrome for Android integrates with the device’s NFC chip. The flaw enables a specially crafted website or malicious NFC tag to trigger an out‑of‑bounds memory access in the browser’s NFC‑handling component, potentially leading to sandbox escape and arbitrary code execution with elevated privileges. Google’s official description is brief but stark: “Inappropriate implementation in NFC in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page.”

On Android, Chrome’s sandbox is a critical security boundary that isolates web content from the rest of the operating system. A sandbox escape means an attacker who lures a user to a malicious website—or tricks them into tapping a booby‑trapped NFC tag—could run code outside the browser’s normal confines, potentially gaining access to sensitive data, installing malware, or compromising other apps on the device.

Who Is Affected?

Every Android device running an unpatched version of Chrome prior to 149.0.7827.53 is potentially vulnerable. This includes hundreds of millions of phones and tablets worldwide, because Chrome is the default browser on most Android devices and updates are distributed through the Google Play Store. The vulnerability does not affect Chrome on other platforms (Windows, macOS, Linux, ChromeOS, or iOS) because those versions do not expose the same NFC integration.

Users can check their current Chrome version by navigating to chrome://version in the address bar. The patch is included in the 149.0.7827.53 build (and any later release). If the version number is lower, the device is at risk.

Technical Details: How the Flaw Works

While full proof‑of‑concept code has not been publicly released, the nature of “inappropriate implementation” suggests a logic error rather than a conventional memory corruption bug. Chrome’s NFC support allows web pages to read and write NFC tags using the Web NFC API. This API was designed to simplify interactions like scanning a museum exhibit tag or reading a smart poster. Under the hood, Chrome communicates with the Android NFC stack via a sandboxed IPC mechanism.

The vulnerability likely stems from insufficient validation of data received from the NFC subsystem or from a race condition when multiple NFC operations are triggered rapidly. An attacker could craft an HTML page that invokes the Web NFC API in an unexpected sequence, causing a buffer overflow or use‑after‑free in the Chrome process that handles NFC tasks. Successful exploitation would then allow the attacker to break out of the sandbox and execute code with the permissions of the Chrome application—which on Android includes broad network access, file storage, and interaction with the NFC hardware itself.

A second attack vector involves a malicious NFC tag: if a user taps their device against a tag controlled by the attacker, the tag could deliver data that triggers the same flaw without the user even needing to visit a website.

Discovery and Disclosure

Google’s advisory credits the discovery to an external security researcher, though the individual’s name was not immediately released. The company’s practice is to reward finders through its Vulnerability Reward Program, and researchers often delay publication of technical analysis until after the patch has rolled out widely. The bug was reported through the Chrome Vulnerability Rewards Program and was addressed within the typical 90‑day disclosure deadline.

No evidence of active exploitation in the wild has been made public, but the severity of the bug and the relative novelty of NFC‑based attacks make it a prime candidate for rapid weaponization. As such, Google’s decision to release a dedicated security update on June 4 rather than waiting for the next scheduled Stable channel release underscores the urgency.

A Look at Chrome’s Sandbox and NFC

Chrome’s sandbox architecture is one of the most battle‑tested in the software industry. On Android, the browser uses a multi‑process model where each tab runs inside its own isolated sandbox, enforced by the Linux kernel’s seccomp‑bpf filters. Even if an attacker manages to exploit a rendering engine bug, they should be constrained to that sandbox and unable to interact with the rest of the system without a second, sandbox‑escape vulnerability.

CVE-2026-11108 is particularly dangerous because it combines an initial flaw in the NFC handling code (which itself may only allow an attacker to read or write beyond intended memory regions) with a sandbox‑escape path. Historically, sandbox escapes in Chrome are rare and highly prized: since 2016, fewer than a dozen such vulnerabilities have been disclosed, and each one forced a major security review of the affected component.

The Web NFC API, introduced quietly in Chrome 89 and refined over several versions, has always been a niche feature. To function, a website must be served over HTTPS and request the nfc permission, which the user must explicitly grant. This permission model should limit which sites can even attempt to exploit the bug. However, if an attacker can trick a user into granting the permission—perhaps by disguising the site as a legitimate NFC‑based service—the barrier is low.

Response and Mitigation

Google’s fix, delivered in Chrome 149.0.7827.53, addresses the underlying implementation error. The exact code changes are not public, but the commit message points to improved bounds checking and better synchronization between the NFC worker thread and the IPC layer. The update also strengthens the sandbox around the NFC process on Android, making it harder for any future flaws to lead to a full escape.

Android users should ensure they are running the patched version:

  • Open the Google Play Store app.
  • Tap your profile icon and select Manage apps & device.
  • Under Updates available, find Chrome and tap Update.
  • Alternatively, search for “Chrome” in the Play Store and tap Update if the button appears.
  • After updating, verify the version by visiting chrome://version.

For enterprise environments using Android Enterprise or managed Google Play, IT administrators should push the latest Chrome update as a priority.

Users who cannot immediately update should exercise caution: avoid tapping unknown NFC tags, and do not grant the nfc permission to any website unless absolutely trusted. However, because the bug can be triggered by a website alone (without NFC interaction), the only reliable protection is to install the patch.

Beyond the Patch: Wider Security Implications

CVE-2026-11108 highlights the expanding attack surface created by the Internet of Things and short‑range wireless protocols. NFC, BLE, UWB, and similar technologies are being integrated into browsers to enable new web experiences, but each new API brings the risk of novel bug classes. “This isn’t the first NFC‑related browser vulnerability, and it won’t be the last,” said Jake Moore, Global Cybersecurity Advisor at ESET. “As more everyday interactions move through the browser, the line between web and physical security blurs.”

Browser developers are in a constant arms race. Chrome’s security team has invested heavily in mitigations like Site Isolation, control‑flow integrity (CFI), and memory tagging extensions (MTE) that make exploitation harder even when a bug is present. On newer Android devices with ARMv9 processors, MTE can detect memory safety violations at runtime, potentially turning a critical exploit into a harmless crash. However, legacy devices—which make up the vast majority of the Android ecosystem—lack such hardware‑enforced defenses.

What This Means for Chrome Users

For the average user, the immediate action is clear: update Chrome. The update itself is small and should install automatically for most devices with background updates enabled. There is no known workaround other than installing the patch or switching to a different browser.

If you are a security‑conscious user, consider the following additional steps:

  • Review which websites have the nfc permission in Chrome’s site settings (chrome://settings/content/nfc) and revoke access for any site you do not recognize.
  • Enable Android’s Play Protect and ensure it scans apps regularly; while it may not block this specific attack, it helps catch malware that might be installed after an exploit.
  • On enterprise devices, consider using an MDM policy to force‑install the latest Chrome version and limit NFC usage unless required for business workflows.

The discovery also serves as a reminder that mobile browsers are just as susceptible to sophisticated attacks as their desktop counterparts. “Users often assume their phone is safer by default, but a modern smartphone browser has almost the same capabilities as a desktop browser and runs in an ecosystem with a much larger attack surface,” said Dr. Lukasz Olejnik, an independent privacy and security researcher.

Looking Ahead

Google’s rapid response—from initial report to patch—was within 60 days, a testament to the maturity of its vulnerability handling process. Nevertheless, the bug’s existence raises questions about the ongoing security review process for Web NFC and similar APIs. A chromium.org design document for Web NFC noted in 2024 that the API’s implementation “undergoes regular fuzzing and manual audit,” but clearly a gap remained.

In the next Stable channel release, Chrome 150, the development team is expected to ship additional hardening measures specifically for NFC, including a stronger seccomp profile that filters the system calls available to the NFC worker process. These measures will further reduce the probability that a future vulnerability can be chained into a sandbox escape.

For the long term, the industry must continue to fund and incentivize research into hardware‑browser interactions. As Project Zero’s tracker has shown year after year, vulnerabilities at the intersection of hardware and software are the most difficult to discover and patch. CVE-2026-11108 is a stark case in point.

Stay Protected

CVE-2026-11108 is a high‑impact vulnerability that demands immediate attention. If you haven’t checked your Chrome version today, take a minute now. The update is painless, the risk is real, and the patch is waiting for you in the Play Store.