CVE-2026-11145 Google CVE debrief

Who should care

Users of Google Chrome on Android, particularly those using versions prior to 149.0.7827.53, should apply the necessary updates to mitigate this vulnerability. Additionally, developers and security teams should be aware of this issue to ensure they are protecting their users and applications.

Technical summary

The vulnerability, identified as CVE-2026-11145, is caused by a race condition in the Geolocation feature of Google Chrome on Android. This condition can be exploited by a remote attacker through a specially crafted HTML page, which could result in the leakage of cross-origin data. The Common Vulnerability Scoring System (CVSS) score for this vulnerability is 5.3, indicating a Medium severity level. The CVSS vector is CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N.

Defensive priority

Medium

Recommended defensive actions

• Update Google Chrome on Android to version 149.0.7827.53 or later.
• Users should ensure their browser is up-to-date to prevent exploitation of this vulnerability.
• Developers and security teams should review their applications and ensure they are not exposing sensitive data through cross-origin requests.

Evidence notes

The CVE-2026-11145 vulnerability has been publicly disclosed and is considered a Medium severity issue by the Chromium security team. The vulnerability allows for the leakage of cross-origin data due to a race condition in the Geolocation feature of Google Chrome on Android versions prior to 149.0.7827.53.

Official resources