PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-11188 Google CVE debrief

CVE-2026-11188 is a use-after-free vulnerability in the USB component of Google Chrome on Android. The vulnerability occurs when the browser attempts to access memory that has already been freed, which can lead to a sandbox escape. An attacker could exploit this vulnerability by crafting a malicious HTML page. The Chromium security team classified this vulnerability as Medium severity. The CVSS score for this vulnerability is 8.8, indicating a High severity level.

Vendor
Google
Product
Chrome
CVSS
HIGH 8.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-04
Original CVE updated
2026-06-06
Advisory published
2026-06-04
Advisory updated
2026-06-06

Who should care

Users of Google Chrome on Android prior to version 149.0.7827.53 should update to the latest version to mitigate this vulnerability. Additionally, developers and security teams should be aware of this vulnerability and take steps to protect their users.

Technical summary

The vulnerability is caused by a use-after-free error in the USB component of Google Chrome on Android. This error occurs when the browser attempts to access memory that has already been freed. An attacker could exploit this vulnerability by crafting a malicious HTML page that triggers the use-after-free error, potentially leading to a sandbox escape.

Defensive priority

High

Recommended defensive actions

  • Update Google Chrome on Android to version 149.0.7827.53 or later.
  • Use a web browser that is not vulnerable to this issue.
  • Be cautious when visiting unknown websites or clicking on suspicious links.

Evidence notes

The CVE record for CVE-2026-11188 was obtained from the official CVE website [cve-org]. The vulnerability details were obtained from the National Vulnerability Database [nvd].

Official resources

CVE-2026-11188 was published on 2026-06-04T23:17:25.787Z and modified on 2026-06-06T01:36:43.603Z.