CVE-2026-11064: Chrome Android GPU Race Condition Data Leak
A race condition in Google Chrome's GPU rendering engine on Android devices allows an attacker who has already compromised the renderer process to steal data from websites you're visiting. The attacker would trick you into viewing a specially crafted webpage, which exploits a timing gap in how the GPU handles memory to read sensitive information across security boundaries. This is a real but limited threat because the attacker must first gain control of Chrome's renderer—a significant prerequisite.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 6.5 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
- Weaknesses (CWE)
- CWE-457
- Affected products
- 2 configuration(s)
- Published / Modified
- 2026-06-04 / 2026-06-17
NVD description (verbatim)
Race in GPU in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-11064 is a use-after-free or data race condition (CWE-457) in the GPU process of Chromium-based Chrome on Android. The vulnerability allows a compromised renderer process to leak cross-origin data by exploiting a race condition during GPU memory access or frame rendering. The attacker crafts an HTML page that triggers a timing window where the GPU exposes data that should be isolated by the same-origin policy. The vulnerability requires prior renderer compromise, limiting the attack surface to scenarios where the attacker has already achieved code execution in Chrome's renderer sandbox.
Business impact
For users, this vulnerability poses a confidentiality risk if their Chrome renderer is already compromised through a separate exploit. Corporate environments managing Android devices should assess whether users are at risk of multi-stage attacks: first a renderer compromise (via a separate vulnerability), then exploitation of this race condition to exfiltrate sensitive session data, credentials, or personal information. Organizations with strict browser isolation policies or those using managed browsers may face lower risk.
Affected systems
Google Chrome on Android versions prior to 149.0.7827.53 are affected. The vulnerability is specific to the Android platform and its GPU implementation. Users running Chrome 149.0.7827.53 or later are protected. Note that Chromium-based browsers on Android that bundle this vulnerable GPU code may also be affected; verify with your browser vendor.
Exploitability
The attack requires two preconditions: (1) the attacker must already control the renderer process (typically requiring a separate, prior exploit), and (2) the user must visit a malicious webpage. The race condition itself is not trivial to trigger reliably, and the prerequisites significantly lower real-world exploitability. The Chromium team has not flagged this for active exploitation in the wild (KEV status: not listed). This is a medium-severity issue suitable for planned patching rather than emergency response.
Remediation
Update Google Chrome on Android to version 149.0.7827.53 or later. Users should enable automatic updates to receive patches automatically. Administrators managing Android devices should enforce Chrome updates through MDM policies. No workarounds exist; patching is the only remediation.
Patch guidance
Chrome on Android auto-updates by default. Verify your Chrome version in Settings > About Chrome; update will occur automatically if available. Organizations using Android Enterprise should deploy Chrome updates via their MDM solution (Intune, VMware Workspace ONE, etc.). Test compatibility with your applications after updating, though version 149 is a standard maintenance release with no known breaking changes.
Detection guidance
Monitor for Chrome versions older than 149.0.7827.53 in your device inventory using MDM or endpoint detection platforms. Inspect browser logs for unusual GPU errors or crashes that might indicate exploitation attempts. Because exploitation requires prior renderer compromise, also monitor for signs of renderer sandbox escape or unusual memory access patterns. Correlation with other indicators (suspicious JavaScript, heap spray attempts) would strengthen detection. No specific network-based signature exists for this race condition.
Why prioritize this
This vulnerability merits standard priority (not critical) because exploitation requires two significant hurdles: prior renderer compromise and successful race condition triggering. However, it should not be ignored; it is a real information disclosure flaw. Organizations should patch within their normal update cadence (1–2 weeks) rather than declaring an emergency. Prioritize if you operate in high-risk environments (financial, government, media) where multi-stage attacks are plausible.
Risk score, explained
CVSS 6.5 (Medium) reflects the high confidentiality impact (C:H) but limited attack vector and high privilege requirements. The 'PR:N' and 'AC:L' terms are somewhat misleading here—they describe the immediate attack (visiting a webpage) rather than the full chain (which requires prior sandbox escape). The rating appropriately downgrades severity because real-world exploitation demands sophisticated prerequisites. Do not interpret this as a trivial flaw; it is a legitimate data leak in a widely used browser.
Frequently asked questions
Do I need to patch this immediately?
No. While the vulnerability is real, it requires an attacker to have already compromised your Chrome renderer through a separate exploit. If you follow standard patching practices (updates within 1–2 weeks), you are adequately managing this risk. Only if you have evidence of active renderer exploitation in your environment should you patch within 24–48 hours.
Does this affect Chrome on desktop or other platforms?
This vulnerability is specific to Chrome on Android and the Android GPU implementation. If you use Chrome on Windows, macOS, or Linux, you are not affected by this particular flaw. Always check platform-specific advisories when patching.
What does 'compromised renderer process' really mean?
It means an attacker has achieved code execution inside Chrome's renderer sandbox—typically through a use-after-free, buffer overflow, or similar memory bug in the JavaScript engine or web APIs. Once they control the renderer, they can execute malicious code, and this GPU race condition becomes another tool to steal data. In practice, most users will never encounter the combination of two exploits in the wild.
Can I defend against this without patching?
There is no workaround. However, you can reduce attack surface by disabling hardware acceleration (Settings > Advanced > System > toggle off 'Use hardware acceleration'), which forces the GPU code path to be unused. This is not practical for most users but may be viable for high-security environments that accept the performance trade-off.
This analysis is provided for informational purposes only and does not constitute professional security advice. Always verify patch availability and compatibility with your environment before deploying updates. CVSS scores and severity ratings are provided by Chromium and NVD and should be interpreted in context with real-world exploitability and your organization's risk profile. SEC.co does not take responsibility for decisions made based on this intelligence; consult your security team and vendor advisories for binding guidance. Source: NVD (public-domain), retrieved 2026-07-12. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10008MEDIUMChrome Android GPU Memory Disclosure Vulnerability
- CVE-2026-10977MEDIUMUninitialized Use in Chrome Skia Renderer—Data Leak Risk
- CVE-2026-10994MEDIUMGoogle Chrome ANGLE Memory Disclosure Vulnerability – Update to 149.0.7827.53
- CVE-2026-11033MEDIUMChrome macOS WebML Memory Disclosure Vulnerability
- CVE-2026-11039MEDIUMChrome Skia Uninitialized Variable Data Leak Vulnerability
- CVE-2026-11057MEDIUMChrome Skia Uninitialized Memory Leak – 6.5 CVSS
- CVE-2026-11067MEDIUMChrome Memory Disclosure Vulnerability in Dawn – Patch to 149.0.7827.53
- CVE-2026-11087MEDIUMChrome ANGLE Memory Leak Allows Cross-Origin Data Theft