← Back to Feed CACHED · 2026-05-17 09:42:19 · cache_key CVE-2025-29912
CVE-2026-11064 · CWE-457 · Disclosed 2026-06-04

Race in GPU in Google Chrome on Android prior to 149

ASSESSED — NOISGATE V0.5
Vendor
Reassessed
Verdict:
01 · The Real Story

This is a spare key hidden inside a room the intruder already had to break into first

As of 2026-06-06, I could not verify an official published record for CVE-2026-11064. The metadata you supplied lines up much more closely with CVE-2026-11123: an Android Chrome bug fixed before 149.0.7827.53, classified as CWE-457, where uninitialized use in ANGLE/GPU can leak sensitive process memory through crafted HTML. In plain English: after an attacker already gets code running in the browser renderer, this bug may let them read leftover data they should not see.

Google's MEDIUM label is defensible in generic browser-land, but for enterprise patch triage it is still too generous. The decisive friction is the prerequisite: the attacker must already have compromised the renderer process. That makes this a second-stage exploit-chain primitive with narrow real-world reach, Android-only scope, no KEV listing, and no reliable public weaponization I could verify.

"This is a post-compromise browser chain helper, not your next enterprise fire drill."
02 · The Attack Path

4 steps from start to impact.

STEP 01

Land renderer code execution first

The attacker needs a separate browser bug to compromise the Chrome renderer on Android, typically via malicious web content. This CVE is not an initial-access bug by itself; it only matters after the renderer is already under attacker control.
Conditions required:
  • Victim uses Chrome on Android
  • Victim loads attacker-controlled content
  • A separate renderer-compromise vulnerability is present and successfully exploited
Where this breaks in practice:
  • Requires chaining with another bug before this CVE becomes reachable
  • Modern browser exploit mitigations raise cost for first-stage renderer compromise
  • No verified public end-to-end exploit chain found in primary-source review
Detection/coverage: Traditional vulnerability scanners will only see version exposure; they will not detect active exploitation of this stage. Mobile Threat Defense and browser crash telemetry may catch the first-stage exploit, not this memory-disclosure step.
STEP 02

Trigger the ANGLE/GPU memory disclosure

With renderer control, the attacker uses a crafted HTML/WebGL path to exercise the vulnerable ANGLE/GPU behavior and read uninitialized memory. Think custom JavaScript/WebGL harness rather than an off-the-shelf tool; I found no authoritative public PoC repo for the likely intended record.
Conditions required:
  • Renderer already compromised
  • Vulnerable Chrome build prior to 149.0.7827.53
  • Relevant GPU/ANGLE path reachable on the device
Where this breaks in practice:
  • Bug appears Android-specific, which narrows the affected population
  • ANGLE/GPU behavior can vary by device, driver stack, and OS build
  • Mobile browser exploit reliability is usually lower than lab conditions suggest
Detection/coverage: EDR-equivalent visibility on Android is poor. Best coverage is version inventory plus anomaly monitoring for repeated renderer/GPU crashes on managed devices.
STEP 03

Harvest sensitive memory artifacts

The practical outcome is information disclosure, not clean arbitrary code execution or persistence. The attacker is trying to recover high-value residues such as page content, tokens, or cross-origin artifacts from process memory that should have been isolated.
Conditions required:
  • Useful secrets are resident in accessible process memory
  • The leaked bytes are structured enough to be exploitable
Where this breaks in practice:
  • Leaked memory can be noisy and inconsistent
  • Blast radius is usually limited to one browser session on one device
  • Site/process isolation reduces what tends to coexist in a single renderer context
Detection/coverage: There is no strong signature-based scanner for successful memory disclosure. Investigators should correlate suspicious browsing, renderer crashes, and exposed browser versions.
STEP 04

Exfiltrate what was recovered

Any recovered data still has to be turned into something useful, then sent off-device through normal web requests from the malicious page or follow-on malware. That means the attacker gets incremental value from the leak, not an instant enterprise-wide foothold.
Conditions required:
  • Recovered data is actionable
  • Outbound network access from the browser remains available
Where this breaks in practice:
  • Many leaked fragments will be junk, stale, or low-value
  • Enterprise value is highest only when the user is signed into sensitive SaaS in mobile Chrome
  • Network controls may not stop exfil over ordinary HTTPS but can limit follow-on abuse
Detection/coverage: Proxy, DNS, and mobile network telemetry may catch follow-on exfil domains, but they will not prove this specific CVE was the cause.
03 · Intelligence Metadata

The supporting signals.

Identity checkI could not verify an official CVE-2026-11064 record as of 2026-06-06. Your metadata matches CVE-2026-11123 most closely: same CWE-457, same fixed boundary 149.0.7827.53, and the same EPSS 0.00035.
Potentially confused sibling CVEThere is also CVE-2026-11119, an Android GPU issue in the same release batch, but that one is a potential sandbox escape with a much higher enriched CVSS; do not mix it with the likely intended info-leak record.
In-the-wild statusNo evidence of active exploitation verified. I found no vendor statement of in-the-wild abuse for the likely intended record.
KEV statusNot KEV-listed in CISA's catalog at review time.
PoC availabilityNo reliable public PoC repository located in primary-source review. Expect private browser-exploit tradecraft if this gets used at all.
EPSS0.00035 (~0.035%, percentile ~10.8 for the likely intended CVE-2026-11123), which is consistent with a low-likelihood, chain-dependent browser issue.
CVSS interpretationYour supplied vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N describes a user-assisted remote info leak with no direct integrity or availability hit. That is directionally aligned with the likely intended memory-disclosure flaw, but the official published CVE-2026-11123 record had no CNA CVSS yet when I checked.
Affected versionsAuthoritative Chrome CNA data for the likely intended record says Chrome < 149.0.7827.53 is affected.
Fixed versionFix boundary is 149.0.7827.53. Google publicly showed Android 149.0.7827.48 rolling out on 2026-05-28, so there may be short-lived Play rollout lag between public Android channel posts and the CVE fix boundary.
Exposure realityThis is Android-only and only exploitable after renderer compromise. In enterprise terms that means a post-initial-access browser chain component, not a mass remote compromise event.
04 · The Call

noisgate verdict.

Final Verdict
DOWNGRADED to LOW (3.7/10)

The single most important factor is the prerequisite: the attacker must already have compromised the renderer process before this bug matters. That turns the issue from a broad remote browser risk into a narrow, second-stage Android-only information leak with no verified exploitation evidence.

LOW Exact CVE identity mapping (`CVE-2026-11064` appears to be a typo or unpublished ID)
HIGH Severity downgrade driven by the post-renderer-compromise prerequisite
MEDIUM Operational impact assessment for managed Android enterprise fleets

Why this verdict

  • Renderer compromise required: this is not initial access. Requiring a separate first-stage browser exploit is a major downward adjustment from the supplied 6.5 baseline.
  • Android-only exposure: even if Chrome is common, this record is narrowed to Android builds below 149.0.7827.53, not your whole desktop browser estate.
  • Disclosure, not takeover: the likely intended bug leaks process memory; it does not hand the attacker direct persistence, remote code execution on the device, or enterprise-wide lateral movement by itself.
  • No live-fire indicators: no KEV entry, no verified in-the-wild note, and no authoritative public PoC materially reduce urgency.

Why not higher?

If this were the sibling Android GPU bug that genuinely enabled a renderer-to-sandbox escape, or if Google/CISA had confirmed exploitation, the score would jump sharply. Likewise, an issue reachable without prior renderer compromise would deserve at least MEDIUM and likely higher.

Why not lower?

It still affects a massively deployed browser family and can expose sensitive browser-resident data on mobile devices. For high-risk users who do privileged SaaS administration from Android Chrome, even a chain-dependent info leak is not something to ignore outright.

05 · Compensating Control

What to do — in priority order.

  1. Force Chrome auto-update on managed Android — Use MDM/EMM controls and Play managed app policies to keep com.android.chrome current. For a LOW noisgate verdict there is no mitigation SLA; treat this as backlog hygiene, but version drift on mobile browsers should still be cleaned up in your normal maintenance cycle.
  2. Keep privileged workflows off mobile browsers — Restrict break-glass admin actions, cloud-console administration, and other high-value sessions from Android Chrome where feasible. This reduces the value of any browser-memory disclosure; for LOW, there is no formal mitigation deadline, so apply this as policy hardening rather than emergency response.
  3. Inventory sub-fixed Android Chrome versions — Query managed devices for Chrome versions below 149.0.7827.53 and target stale cohorts first. This is mainly to reduce long-tail exposure and confirm whether you even have a meaningful affected population.
  4. Enable additional site isolation for sensitive origins where supported — Chromium documents stronger isolation options on Android for organizations that need extra protection around high-value sites. This does not patch the bug, but it can reduce same-process data co-residency and lower leak usefulness.
What doesn't work
  • A perimeter WAF does not help; the bug is in local browser memory handling after the page is rendered.
  • Patching desktop Chrome only misses the likely affected population because this issue is Android-specific.
  • Generic network IDS signatures are weak here because the exploit path is custom HTML/JS inside an already compromised renderer, not a stable wire signature.
06 · Verification

Crowdsourced verification payload.

Run this from an auditor workstation with ADB access to the target Android device, or adapt the same package query in your MDM shell. Invoke it as ./check_chrome_android.sh com.android.chrome 149.0.7827.53; no root is required, but the device must be reachable via adb shell and permit package metadata queries.

noisgate-verify.sh
BASHREAD-ONLYSAFE
#!/usr/bin/env bash
# check_chrome_android.sh
# Purpose: Check whether Android Chrome is below a fixed version.
# Usage: ./check_chrome_android.sh [package_name] [fixed_version]
# Example: ./check_chrome_android.sh com.android.chrome 149.0.7827.53
# Exit codes: 0=PATCHED, 1=VULNERABLE, 2=UNKNOWN

set -u

PKG="${1:-com.android.chrome}"
FIXED="${2:-149.0.7827.53}"

command -v adb >/dev/null 2>&1 || {
  echo "UNKNOWN: adb not found in PATH"
  exit 2
}

adb get-state >/dev/null 2>&1 || {
  echo "UNKNOWN: no adb device available"
  exit 2
}

raw="$(adb shell dumpsys package "$PKG" 2>/dev/null | tr -d '\r' | grep -m1 'versionName=')"
if [ -z "$raw" ]; then
  echo "UNKNOWN: package '$PKG' not found or versionName unavailable"
  exit 2
fi

INSTALLED="${raw#*=}"
INSTALLED="$(echo "$INSTALLED" | xargs)"

norm_ver() {
  local v="$1"
  local IFS='.'
  local parts
  read -r -a parts <<< "$v"
  printf '%d %d %d %d\n' "${parts[0]:-0}" "${parts[1]:-0}" "${parts[2]:-0}" "${parts[3]:-0}"
}

ver_lt() {
  local a b
  a=( $(norm_ver "$1") )
  b=( $(norm_ver "$2") )
  for i in 0 1 2 3; do
    if [ "${a[$i]}" -lt "${b[$i]}" ]; then
      return 0
    elif [ "${a[$i]}" -gt "${b[$i]}" ]; then
      return 1
    fi
  done
  return 1
}

if ver_lt "$INSTALLED" "$FIXED"; then
  echo "VULNERABLE: $PKG installed version $INSTALLED is below fixed version $FIXED"
  exit 1
else
  echo "PATCHED: $PKG installed version $INSTALLED is at or above fixed version $FIXED"
  exit 0
fi
07 · Bottom Line

If you remember one thing.

TL;DR
Monday morning: first, fix the data quality problem in your vuln feed — the supplied ID CVE-2026-11064 does not currently verify, and the technical details map best to CVE-2026-11123. Then pull an inventory of managed Android devices running Chrome below 149.0.7827.53, clean up stragglers in your normal mobile browser patch cycle, and keep privileged admin workflows off Android Chrome where possible. Because this lands in LOW, there is no noisgate mitigation SLA and no noisgate remediation SLA; treat it as backlog hygiene, document the renderer-compromise prerequisite, and patch through standard maintenance rather than emergency change.

Sources

  1. Vulnerability-Lookup record for CVE-2026-11123
  2. Vulnerability-Lookup record for CVE-2026-11119
  3. Chrome Releases: Early Stable Update for Desktop 149.0.7827.53/.54
  4. Chrome Releases homepage showing Android 149.0.7827.48 rollout
  5. CISA Known Exploited Vulnerabilities catalog
  6. FIRST EPSS data and daily reports
  7. Chromium Site Isolation overview
  8. Chromium GPU process design document
Peer Review

What defenders are saying.

Submit a review attribution: handle + country only
0 flags selected · stored anonymously
Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.