cve-2026-11029

CVE-2026-11029 is a security vulnerability in Google Chrome's Drag and Drop handling on Android, classified as an insufficient-input-validation flaw. It was fixed before Chrome version 149.0.7827.53 and published by NVD on June 4, 2026, though a final NIST CVSS score is pending. The vulnerability is notable not as a direct sandbox escape from a simple page visit, but as a potential second-stage escape after an attacker has already compromised the renderer process. This distinction highlights the importance of browser sandboxing, where the renderer is treated as hostile and the containment boundary is critical. Discussions around CVE-2026-11029 emphasize that modern browser security relies on maintaining that containment line, making such flaws significant for understanding Chrome's defense-in-depth approach.