MEDIUM 5.3

CVE-2026-11145: Chrome Android Geolocation Race Condition Data Leak

A race condition in Google Chrome's geolocation feature on Android devices allows attackers to steal sensitive information across website boundaries. By crafting a malicious webpage, an attacker can exploit a timing vulnerability to extract data from other origins—websites or apps—that the user has visited or is logged into. The vulnerability requires user interaction (visiting the malicious page) and specific technical conditions to trigger, but successful exploitation could expose authentication tokens, personal information, or other confidential data from legitimate services.

Source data · NVD / CISA · public domain

CVSS
3.1 · 5.3 MEDIUM · CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N
Weaknesses (CWE)
CWE-362
Affected products
2 configuration(s)
Published / Modified
2026-06-04 / 2026-06-17

NVD description (verbatim)

Race in Geolocation in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-11145 is a race condition (CWE-362) in the geolocation subsystem of Chrome on Android versions prior to 149.0.7827.53. The vulnerability stems from improper synchronization when the geolocation API handles permission requests and data access from multiple sources. A remote attacker can craft an HTML page that races geolocation permission prompts against cross-origin requests, allowing unauthorized access to location data or related user identifiers that bypass same-origin policy enforcement. The attack surface is limited by browser security boundaries, but the lack of proper state isolation during the race window creates the exploitable condition.

Business impact

Organizations whose employees or customers use Chrome on Android devices face data exposure risk if users visit attacker-controlled websites while logged into sensitive services. The leaked cross-origin data could include session tokens, user IDs, or other PII tied to accounts on third-party platforms, potentially leading to account takeover, phishing follow-ups, or identity theft. For enterprises, the impact depends on employee browsing habits and the sensitivity of services accessed from mobile devices. SaaS providers and web applications should assume some Android Chrome users may be vulnerable until they patch.

Affected systems

Google Chrome versions prior to 149.0.7827.53 on Android operating systems are affected. Desktop and iOS versions of Chrome are not impacted by this specific vulnerability. The vulnerability affects all Android devices running the vulnerable Chrome release, regardless of Android version. Users on Chrome 149.0.7827.53 and later are protected.

Exploitability

Exploitability is moderate. The attack requires user interaction—the victim must visit a malicious webpage—and the race condition has high complexity (AC:H in the CVSS vector), meaning the attacker must achieve precise timing or environmental conditions to succeed. However, once those conditions align, no authentication or special privileges are needed; a remote attacker can exploit the vulnerability over the network. The reliance on user interaction and technical precision prevents this from being a trivial remote code execution scenario, but it remains a practical risk for targeted attacks or widespread campaigns using refined exploitation techniques.

Remediation

Immediately update Google Chrome on Android devices to version 149.0.7827.53 or later. Users can verify their current Chrome version via Settings > About Chrome, which automatically checks for and prompts installation of available updates. Organizations managing Android devices via Mobile Device Management (MDM) platforms should deploy the patched Chrome version across their fleet. No workarounds exist that fully mitigate the race condition; patching is the only reliable fix. Consider prioritizing patch deployment on devices used to access sensitive services or that handle authentication tokens for critical accounts.

Patch guidance

Update Chrome on Android via the Google Play Store or system settings. The patch is version 149.0.7827.53. Auto-update should be enabled by default, but users can manually check for updates in Settings > About Chrome. For enterprise deployments, use your MDM solution to enforce the minimum version or enable automatic updates through managed Google Play. Verify patch deployment by confirming installed Chrome version matches 149.0.7827.53 or later across your device inventory. No staged rollout is necessary; all users should receive the patch immediately.

Detection guidance

Detection of exploitation in real-time is difficult because the vulnerability exploits browser internals rather than leaving obvious network signatures. However, security teams can monitor for: (1) unusual cross-origin data access patterns in application logs, particularly around geolocation permission requests; (2) unexpected authentication tokens or session IDs appearing in logs from unfamiliar IP addresses or device profiles; (3) alerts from identity and access management (IAM) systems flagging suspicious login attempts shortly after anomalous mobile browser activity. Endpoint Detection and Response (EDR) tools on managed Android devices may flag suspicious Chrome process behavior during exploitation, but such signals are subtle. Focus detection efforts on the post-exploitation phase: monitor for account access anomalies tied to Android Chrome users.

Why prioritize this

While the CVSS score is Medium (5.3) and exploitation requires user interaction and precise timing, the consequence of successful exploitation—cross-origin data leakage including potential session hijacking—is operationally significant for organizations relying on sensitive web applications. The vulnerability affects a widely-used browser on a prevalent mobile platform, meaning exposure is broad across the user base. The absence of known active exploitation (per KEV status) provides a window to patch before weaponization becomes common. Prioritize patching based on user segments: highest priority for employees accessing financial, healthcare, or identity services from Android Chrome; standard priority for general user populations.

Risk score, explained

The CVSS 3.1 score of 5.3 (Medium) reflects the combination of network-based attack vector (AV:N), high attack complexity (AC:H), required user interaction (UI:R), and high confidentiality impact (C:H) with no integrity or availability loss. The score correctly captures that successful exploitation is non-trivial but yields significant data exposure. The real-world risk depends on your threat model: if your organization's users frequently access sensitive services from Android Chrome, the practical risk may exceed the CVSS baseline. Conversely, if your environment is primarily desktop-based or uses managed browsers, risk is lower. Use this score as a starting point; contextualize based on your mobile Chrome usage and the sensitivity of services accessed.

Frequently asked questions

Can this vulnerability be exploited on desktop Chrome or iPhone Chrome?

No. The vulnerability is specific to Chrome on Android due to differences in how the geolocation subsystem is implemented across platforms. Desktop Chrome and iOS Chrome are not affected.

What data can an attacker actually steal?

The vulnerability allows cross-origin data leakage, which could include geolocation information, user identifiers, or authentication session tokens tied to websites the user has visited. The exact payload depends on what the target website stores and how the race condition is timed, but the primary concern is credential or identity theft.

Do I need to do anything if auto-update is enabled on my Chrome?

If auto-update is enabled (the default), your device should receive the patch automatically within days of release. You can manually check Settings > About Chrome to verify you're on version 149.0.7827.53 or later. No manual action is required if auto-update is on, but confirming the update has installed is prudent.

Is this vulnerability being actively exploited?

As of the published date (June 4, 2026), the vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, indicating no confirmed active exploitation in the wild at that time. However, organizations should not rely on this status as a reason to delay patching; the vulnerability is technically exploitable and will likely be weaponized once researchers or threat actors develop reliable exploitation code.

This analysis is for informational purposes and based on publicly available vulnerability data as of the publication date. Patch version numbers, affected software versions, and technical details derive from official vendor advisories and CVE records. Organizations should verify compatibility and test patches in non-production environments before enterprise deployment. This page does not constitute security advice tailored to your specific infrastructure; consult your security team for risk decisions aligned with your threat model and asset inventory. SEC.co makes no warranty regarding the accuracy or completeness of this analysis beyond the ground-truth source data provided. Source: NVD (public-domain), retrieved 2026-07-12. Analysis generated by SEC.co (claude-haiku-4-5).