PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-12028 Google CVE debrief

CVE-2026-12028 is a high-severity vulnerability in Google Chrome on Android prior to version 149.0.7827.115. The vulnerability is a use-after-free issue in the GPU, which could allow a remote attacker who has compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. The CVSS score for this vulnerability is 8.3, indicating a high level of severity.

Vendor
Google
Product
Chrome
CVSS
HIGH 8.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-11
Original CVE updated
2026-06-12
Advisory published
2026-06-11
Advisory updated
2026-06-12

Who should care

Users of Google Chrome on Android prior to version 149.0.7827.115 should update to the latest version to mitigate this vulnerability. Additionally, administrators and security teams responsible for managing Chrome deployments should ensure that all instances are updated to the latest version.

Technical summary

The vulnerability is a use-after-free issue in the GPU, which could allow a remote attacker who has compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. The CVSS vector for this vulnerability is CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H.

Defensive priority

High

Recommended defensive actions

  • Update Google Chrome on Android to version 149.0.7827.115 or later.
  • Ensure that all instances of Google Chrome are updated to the latest version.

Evidence notes

The CVE record and NVD detail can be found at [cve-org] and [nvd], respectively. Additional information can be found in the vendor advisory at [ref-4] and issue tracking page at [ref-5].

Official resources

CVE-2026-12028 was published on 2026-06-11T22:16:55.350Z and modified on 2026-06-12T18:06:08.123Z.