CVE-2026-11672: Chrome Android GPU Heap Overflow Sandbox Escape
A heap buffer overflow vulnerability exists in the GPU component of Google Chrome on Android versions prior to 149.0.7827.103. An attacker who has already compromised Chrome's renderer process can exploit this flaw through a specially crafted HTML page to escape the browser sandbox and gain higher privileges on the device. This is a post-compromise escalation vector that requires the renderer to be compromised first.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.3 HIGH · CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-787
- Affected products
- 2 configuration(s)
- Published / Modified
- 2026-06-09 / 2026-06-17
NVD description (verbatim)
Heap buffer overflow in GPU in Google Chrome on Android prior to 149.0.7827.103 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-11672 is a heap buffer overflow (CWE-787) in Chrome's GPU subsystem on Android. The vulnerability allows a sandboxed renderer process to perform an out-of-bounds memory write when processing malicious HTML content. Successful exploitation enables sandbox escape, potentially granting an attacker access to sensitive device resources, other browser processes, or system-level capabilities. The attack requires user interaction (visiting a malicious page) but assumes the renderer process is already under attacker control.
Business impact
For organizations deploying Chrome on Android devices, this vulnerability creates a multi-stage attack risk. While it requires prior renderer compromise, successful exploitation could lead to full device compromise, data exfiltration, lateral movement to corporate resources, and loss of confidentiality and integrity guarantees that the Android sandbox normally provides. Mobile-first enterprises and BYOD programs face elevated risk if users run unpatched Chrome versions.
Affected systems
Google Chrome on Android versions before 149.0.7827.103 are vulnerable. The vulnerability is specific to Android; desktop Chrome versions are not affected by this particular flaw. Any device running an affected Chrome build is at risk if a user visits a malicious website or if the renderer process is compromised through other means.
Exploitability
Exploitability is moderate in practical terms. The attack requires two conditions: (1) a compromised renderer process, and (2) user interaction to load a crafted HTML page. While the barrier to initial renderer compromise may be high, once established, the heap overflow provides a reliable path to sandbox escape. No known public exploit exists at this time, and this vulnerability has not been added to the CISA Known Exploited Vulnerabilities catalog.
Remediation
Update Google Chrome on Android to version 149.0.7827.103 or later. The update is available through Google Play Store and should be deployed immediately to all managed Android devices. Organizations should verify update deployment through mobile device management (MDM) tools. For unmanaged devices, user communication emphasizing automatic updates is critical.
Patch guidance
Verify that Chrome on all Android devices is updated to 149.0.7827.103 or a later release. Use MDM solutions (e.g., Google Mobile Management, Microsoft Intune) to enforce automatic updates and prevent rollback. Confirm patch status by checking Settings > About Chrome on target devices, which should display the current version. Set policies to disable manual version downgrades. Test patched builds in a non-production environment before full rollout if your organization uses custom Chrome builds or enterprise policies.
Detection guidance
Monitor Chrome version numbers across your Android device fleet using MDM reporting and telemetry. Look for devices still running versions prior to 149.0.7827.103. Alert on any anomalous GPU process behavior, renderer crashes, or out-of-memory conditions on affected devices, which may indicate exploitation attempts. Endpoint detection tools should flag unsigned or suspicious GPU driver modifications. Correlate Chrome update failures with device compliance reports to identify at-risk machines.
Why prioritize this
This vulnerability merits rapid patching despite not yet appearing in CISA's Known Exploited Vulnerabilities list. The combination of high CVSS score (8.3), sandbox escape potential, and Android's growing attack surface make it a priority. Sandbox escapes are particularly dangerous because they undermine the security boundary Android relies upon. Organizations should treat this as critical for any device handling sensitive data, even though the attack requires prior renderer compromise.
Risk score, explained
The CVSS 3.1 score of 8.3 (HIGH) reflects the severe impact of successful exploitation: high confidentiality, integrity, and availability impact (C:H, I:H, A:H) with sandbox escape capability. The attack vector is network-based (AV:N) and requires high attack complexity (AC:H) due to the need for prior renderer compromise and user interaction (UI:R). The scope change (S:C) acknowledges that compromise extends beyond the renderer sandbox. The score accurately captures the severity while accounting for practical exploitation barriers.
Frequently asked questions
Does this affect Chrome on desktop or other operating systems?
No, this vulnerability is specific to Chrome on Android and affects the GPU component in that environment. Desktop Chrome, Chrome on iOS, and Chrome on other platforms are not vulnerable to this particular flaw, though they may be affected by other security issues.
What happens if a user simply visits a malicious website without their renderer being compromised first?
The vulnerability cannot be exploited through passive web browsing alone. An attacker must first compromise the renderer process through another vulnerability or vector. Once compromised, the attacker can then use this heap overflow to escape the sandbox. This two-stage requirement reduces the immediate risk from random web browsing.
Should we block Chrome updates or delay patching for testing?
No. Given the sandbox escape nature and high CVSS score, delays should be minimal. Modern mobile deployment allows rapid, staged rollouts through MDM. Verify patch compatibility with your organization's critical apps in a small test group, then deploy broadly within days, not weeks.
What if our organization uses a managed version of Chrome?
If you deploy Chrome through enterprise management or a customized build, verify that your distribution channel includes the patched version 149.0.7827.103 or later. Check with your Chrome deployment vendor or internal packaging team to confirm patch availability. Manually curated Chrome builds require explicit update cycles and should not be delayed.
This analysis is provided for informational purposes and should not be construed as professional security advice specific to your organization. Verify all patch versions and CVE details against official Google Chrome and CISA advisories before implementation. Testing in non-production environments is recommended before enterprise-wide deployment. The vulnerability details, CVSS score, and affected versions are based on publicly available information current as of the publication date. No exploit code or weaponized proof-of-concept is included or discussed in this analysis. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10883HIGHType Confusion in Chrome ANGLE Graphics Library
- CVE-2026-10897HIGHCritical Chrome GPU Sandbox Escape Vulnerability
- CVE-2026-10907HIGHChrome ANGLE Out-of-Bounds Write – Remote Code Execution Risk
- CVE-2026-10925HIGHSkia Out-of-Bounds Write Enables macOS Chrome Sandbox Escape
- CVE-2026-10941HIGHSkia Out-of-Bounds Memory Vulnerability in Chrome – Urgent Patch Required
- CVE-2026-11091HIGHCritical Chrome Memory Corruption Vulnerability in Dawn Graphics Engine
- CVE-2026-11173HIGHChrome V8 Out-of-Bounds Write Sandbox Escape – Patch Guidance
- CVE-2026-11690HIGHChrome Memory Safety Vulnerability on macOS – Patch & Detection Guide