CVE-2026-11085: GPU Integer Overflow in Chrome on Android – Patch Now
A flaw in Google Chrome's GPU processing on Android devices allows attackers to trigger an integer overflow—a mathematical error where a number exceeds its storage limit—when rendering specially crafted web pages. This overflow can lead to out-of-bounds memory access, potentially allowing attackers to read sensitive data, modify system memory, or crash the application. The vulnerability requires user interaction (visiting a malicious page) but poses significant risk because it can be triggered remotely and affects a widely-used browser on millions of Android devices.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.8 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-190, CWE-472
- Affected products
- 2 configuration(s)
- Published / Modified
- 2026-06-04 / 2026-06-17
NVD description (verbatim)
Integer overflow in GPU in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker to potentially perform out of bounds memory access via a crafted HTML page. (Chromium security severity: Medium)
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-11085 is an integer overflow vulnerability (CWE-190) in the GPU rendering pipeline of Google Chrome on Android prior to version 149.0.7827.53. The flaw resides in GPU memory handling logic and can be triggered via a crafted HTML page that causes integer arithmetic to wrap, resulting in out-of-bounds memory access (CWE-472). The vulnerability is reachable without authentication and with minimal computational complexity; exploitation requires user interaction to visit a malicious or compromised webpage. The CVSS 3.1 vector (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) reflects high confidentiality, integrity, and availability impact within the affected process scope.
Business impact
This vulnerability directly threatens user data confidentiality and device stability for organizations whose employees use Chrome on Android devices for work. Attackers could harvest sensitive information from browser memory, tamper with cached data or credentials, or render the browser unusable. For enterprises with BYOD policies or relying on Android devices for email and collaboration, delayed patching increases the window for exploitation through phishing campaigns delivering malicious pages. The need for user interaction (clicking a link) makes social engineering a viable attack vector, particularly effective against mobile users who may be less cautious about unexpected links.
Affected systems
Google Chrome on Android versions prior to 149.0.7827.53 are affected. Desktop Chrome versions and Chrome on other platforms are not impacted by this particular flaw. Android devices running affected Chrome versions are at risk, spanning both personally-owned and enterprise-managed devices. Organizations using Mobile Device Management (MDM) solutions should verify Chrome version distribution across their Android fleet.
Exploitability
The vulnerability requires network access and user interaction but is otherwise relatively straightforward to exploit. An attacker needs only to host a malicious HTML page and trick or socially engineer a user into visiting it via a link, advertisement, or embedded content. No special privileges or complex setup are needed on the attacker side. The low attack complexity and lack of authentication requirements make this a practical threat for opportunistic attackers and targeted campaigns alike. However, it is not currently listed in CISA's Known Exploited Vulnerabilities catalog, suggesting active exploitation in the wild has not yet been publicly confirmed at scale.
Remediation
Users and administrators must update Google Chrome on Android to version 149.0.7827.53 or later. This update patches the GPU integer overflow. For enterprise environments, push the update through your mobile device management solution or instruct users to manually update via the Google Play Store. Verify the update has been applied by checking Settings > About Chrome. Until patched, users should avoid clicking suspicious links and be cautious of unexpected website redirects.
Patch guidance
Update Google Chrome on Android to 149.0.7827.53 or later. On most devices, this update is available automatically through the Google Play Store; users can manually check for updates by opening Chrome, navigating to Settings > About Chrome, and allowing any pending update to complete. In enterprise environments with Android MDM (such as Google Mobile Device Management or third-party solutions like MobileIron or Intune), deploy the update through your policy engine to ensure consistent coverage. Verify deployment by auditing device compliance reports within your MDM console. Prioritize devices belonging to high-risk users (executives, finance, legal teams) if you cannot update all devices simultaneously.
Detection guidance
Network-level detection is challenging because the malicious payload is embedded in HTML rendered client-side. Focus on endpoint-level monitoring: (1) Log Chrome version information during device compliance scans and flag devices running versions prior to 149.0.7827.53; (2) Monitor for unusual process behavior in Chrome or GPU-related system processes on Android (e.g., unexpected memory access patterns, if your MDM or endpoint protection supports fine-grained visibility); (3) Review user browsing logs for navigation to suspicious or unexpected domains, particularly those not in your organization's whitelist. Consider enabling enhanced safe browsing in Chrome via Group Policy (on managed devices) to surface phishing and malware risks before users click. Behavioral indicators of successful exploitation are difficult to isolate without memory forensics but may include unexpected browser crashes or hangs on specific pages.
Why prioritize this
Although Chromium classifies this as 'Medium' severity internally, the CVSS 3.1 score of 8.8 (HIGH) reflects the real-world impact: remote, low-complexity attack requiring only user interaction, with potential for data exfiltration and integrity compromise. The wide installed base of Chrome on Android and feasibility of social engineering attack vectors justify urgent prioritization. The fact that it has not yet appeared on CISA's KEV list should not lull organizations into complacency; public exploits and adversary interest could emerge quickly once patching details are widely understood.
Risk score, explained
The CVSS 3.1 score of 8.8 is driven by attack vector (Network), attack complexity (Low), privilege requirement (None), and user interaction (Required). The impact ratings—Confidentiality High, Integrity High, Availability High—reflect that successful exploitation can lead to data theft, memory corruption, or denial of service within the scope of the browser process. The 'Unchanged' scope means the impact is contained to Chrome itself and not directly to the underlying Android OS or other applications, slightly moderating an otherwise critical rating. However, compromised browser memory can still contain sensitive user credentials, payment information, and authentication tokens.
Frequently asked questions
Is this vulnerability actively being exploited?
As of the publication date, CVE-2026-11085 is not listed on CISA's Known Exploited Vulnerabilities catalog, indicating no confirmed widespread active exploitation. However, the low barrier to entry (user interaction via a link) and high impact make it a likely candidate for future adversary interest once patches are deployed and researchers release detailed technical analysis.
Do I need to update if my organization doesn't allow personal Chrome use and restricts browsers to managed instances?
If your organization enforces a managed browser or sandboxed environment, your risk is lower but not zero. Unmanaged BYOD devices and personal Android phones used to access corporate services (email, cloud apps) remain at risk. A compromised device could be used to pivot to corporate networks or exfiltrate data. We recommend patching all devices that access corporate resources, regardless of management status.
Can I mitigate this without updating if patching is delayed?
Partial mitigations include: (1) disabling JavaScript in Chrome (Settings > Advanced > Site Settings > JavaScript), which reduces attack surface but breaks many websites; (2) using Chrome's Safe Browsing to detect known phishing/malware domains; (3) restricting app permissions so Chrome cannot access sensitive data or other apps. These are not substitutes for patching and should be treated as temporary measures only.
Will this affect enterprise Chrome browsers or only the consumer version?
The vulnerability affects all versions of Google Chrome on Android prior to 149.0.7827.53, including enterprise-managed instances. If your organization uses Chrome via Android MDM, ensure your MDM policy mandates the patched version across all enrolled devices.
This analysis is based on publicly available information as of the published date and reflects threat and remediation landscape at that time. Patch version numbers, affected product versions, and CVSS scores are derived from official CVE records and vendor advisories; verify against the latest vendor guidance before deploying patches to production environments. No exploit code or weaponized proof-of-concept is provided. Organizations should conduct their own risk assessment based on their specific asset inventory, user population, and threat model. SEC.co makes no warranty regarding the completeness or accuracy of this analysis and disclaims liability for decisions made in reliance upon it. Source: NVD (public-domain), retrieved 2026-07-12. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10921HIGHChrome Dawn Integer Overflow Sandbox Escape Vulnerability
- CVE-2026-10924HIGHChrome Integer Overflow Sandbox Escape Vulnerability
- CVE-2026-11044MEDIUMChrome ANGLE Integer Overflow on macOS – Information Disclosure Risk
- CVE-2026-9882MEDIUMChrome ANGLE Integer Overflow Allows Cross-Origin Data Leakage
- CVE-2026-0095HIGHAndroid Bluetooth Integer Overflow Privilege Escalation
- CVE-2026-10009HIGHChrome Skia Integer Overflow Sandbox Escape – Patch Guidance
- CVE-2026-10015HIGHChrome WTF Integer Overflow RCE Vulnerability Analysis
- CVE-2026-10019HIGHChrome ANGLE Integer Overflow Enables Cross-Origin Data Leak