PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-11012 Google CVE debrief

CVE-2026-11012 is a use-after-free vulnerability in the Serial component of Google Chrome on Android. The vulnerability occurs when the browser's rendering process is compromised, allowing a remote attacker to potentially escape the sandbox via a crafted HTML page. The CVSS score for this vulnerability is 8.3, indicating a high severity level.

Vendor
Google
Product
Chrome
CVSS
HIGH 8.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-04
Original CVE updated
2026-06-08
Advisory published
2026-06-04
Advisory updated
2026-06-08

Who should care

Users of Google Chrome on Android prior to version 149.0.7827.53 should update to the latest version to mitigate this vulnerability. Additionally, developers and security teams should be aware of this vulnerability and take steps to ensure that their applications and systems are not exposed to this vulnerability.

Technical summary

The vulnerability is caused by a use-after-free error in the Serial component of Google Chrome on Android. This error occurs when the browser's rendering process is compromised, allowing a remote attacker to potentially escape the sandbox via a crafted HTML page. The CVSS vector for this vulnerability is CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H.

Defensive priority

High

Recommended defensive actions

  • Update Google Chrome on Android to version 149.0.7827.53 or later.
  • Use a web browser that is not vulnerable to this issue.

Evidence notes

The CVE record for CVE-2026-11012 was obtained from the official CVE website. The vulnerability details were obtained from the National Vulnerability Database (NVD) and the Google Chrome release notes.

Official resources

CVE-2026-11012 was published on 2026-06-04T23:17:05.070Z and modified on 2026-06-08T14:26:44.233Z.