CVE-2026-11145 · Race in Geolocation in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTM

01 · The Real Story

This is less a burglar kicking in the front door than a pickpocket needing you to hold the gate open at exactly the wrong second

CVE-2026-11145 is a race condition in Chrome Geolocation on Android that affects versions before 149.0.7827.53. The published impact is cross-origin data leakage via a crafted HTML page, not code execution, persistence, or sandbox escape. In plain English: a malicious page may be able to win a timing bug around geolocation handling and read data it should not be able to read across origin boundaries.

The vendor's 6.5 / MEDIUM baseline is technically defensible, but it overstates patch urgency for enterprise fleet triage. This is Android-only, requires user interaction, has no KEV listing, no public exploitation evidence, no public PoC found, and the bug class itself implies the attacker still has to win a timing-sensitive race rather than hit a deterministic memory corruption primitive. That pushes it down from 'drop everything' to 'patch as normal browser hygiene.'

"Browser bug, not breach magnet: Android-only, user-driven, no KEV, no public PoC, and the race itself adds real friction."

02 · The Attack Path

4 steps from start to impact.

STEP 01

Land the victim on a crafted page

The attacker needs a user running Chrome on Android below 149.0.7827.53 to open attacker-controlled HTML. This is classic browser delivery: phishing link, malicious ad path, or compromised site content. No auth is needed, but the attack is dead on arrival unless the victim actually renders the page in affected Chrome.

Conditions required:

Victim uses Google Chrome on Android
Chrome version is < 149.0.7827.53
User opens attacker-controlled or attacker-influenced content

Where this breaks in practice:

Android-only sharply narrows fleet reach versus desktop Chrome
Requires user interaction rather than silent network reachability
Enterprise mobile fleets often auto-update Chrome through Play/Managed Google Play

Detection/coverage: Version scanners and MDM inventory can identify affected installs; network security tools generally cannot distinguish a benign page view from exploit delivery here.

STEP 02

Trigger the geolocation race window

The malicious page must drive the vulnerable geolocation code path and hit the race condition at the right time. Because the issue is described as a race in Geolocation, exploitation likely depends on tight timing around browser state, permission handling, or origin transitions rather than a deterministic one-shot bug. That is real attacker friction, especially across diverse Android hardware and browser states.

Conditions required:

Exploit reaches the vulnerable geolocation execution path
Browser/device timing lines up with the race window
Any required geolocation permission state is favorable to the attacker

Where this breaks in practice:

Race conditions are less reliable than straight parser or memory-corruption bugs
Android device variance makes timing-dependent exploitation harder to scale
If the victim denies or has blocked location access, some exploit paths may collapse

Detection/coverage: There is no strong scanner signature for 'race won'; telemetry is mostly indirect. Browser crash volume is not a reliable signal because the stated impact is data leakage, not DoS.

STEP 03

Break same-origin expectations

If the race succeeds, the attacker leaks cross-origin data that should remain isolated by browser boundaries. The stated impact is confidentiality only: no integrity or availability impact is published, and there is no claim of code execution or sandbox escape. That matters for prioritization: the bug is bad browser behavior, not a full-device compromise path by itself.

Conditions required:

Race is successfully won
Targeted cross-origin data is present and meaningful in the victim browser context

Where this breaks in practice:

Confidentiality-only impact limits blast radius compared with RCE
Useful loot depends on what the victim is actively doing in the browser
No evidence this is chained publicly into a broader Android compromise path

Detection/coverage: Runtime detection is weak. Best coverage is preventive version inventory plus browser update compliance reporting.

STEP 04

Exfiltrate the leaked data

The attacker still has to package and exfiltrate whatever data was exposed by the race, typically over normal web requests from the malicious page. In practice this is hard to separate from ordinary browser traffic without browser-specific telemetry or CASB-style visibility into suspicious destinations. The outcome is session or page-data exposure, not host takeover.

Conditions required:

Attacker-controlled destination can receive the leaked data
Leaked material is valuable enough to matter operationally

Where this breaks in practice:

Exfil blends into normal HTTPS web traffic
Value depends on the victim browsing sensitive content at the time
No vendor or CISA evidence of active campaigns using this CVE

Detection/coverage: DLP or secure web gateway controls may catch obvious outbound theft patterns, but most enterprises will not get a clean CVE-specific detection.

03 · Intelligence Metadata

The supporting signals.

In-the-wild status	No known active exploitation published. The CVE record shows SSVC: Exploitation = none and I found no KEV entry for this CVE. Source: CIRCL record, CISA KEV catalog
Public PoC availability	No public PoC found in the sources reviewed, and the Chromium bug is still effectively opaque from the outside. That is meaningful downward pressure because defenders are not dealing with a turnkey exploit kit right now. Sources: Chromium issue reference, CIRCL record
EPSS	0.00032 EPSS, percentile 0.09637 on 2026-06-05 — essentially floor-level exploit likelihood in the near term. Source: CIRCL record with EPSS metadata, FIRST EPSS
KEV status	Not listed in CISA KEV as of 2026-06-06 based on the reviewed catalog and aggregator metadata. Source: CISA KEV catalog, CIRCL record
CVSS vector reality check	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N` maps to remote, no privileges, but user interaction required and confidentiality-only impact. That is already a middle-of-the-road browser disclosure profile, not a host-takeover profile. Source: CIRCL record, FIRST CVSS reference
Affected versions	Chrome on Android before 149.0.7827.53. The CVE record is explicit that this is an Android issue, not a generic all-platform Chrome defect. Source: CIRCL record
Fixed version	149.0.7827.53 or later is the patched floor from the CVE metadata. The broader Chrome 149 stable train was published by Google on 2026-06-02, with the Android rollout following the usual Play distribution model. Sources: CIRCL record, Chrome stable update, Chrome Android update help
Scanning and exposure reality	Massive install base, poor external discoverability. Chrome shows 10B+ downloads on Google Play, so population is huge, but this is a client-side browser bug, not an internet-facing listener you can enumerate with Shodan/Censys. Source: Google Play Chrome app
Disclosure and reporting	Published 2026-06-04; Google's June 2 stable advisory identifies CVE-2026-11145: Race in Geolocation and notes it was reported by Google on 2026-04-11. Sources: CIRCL record, Chrome stable update

04 · The Call

noisgate verdict.

Final Verdict

= UNCHANGED to MEDIUM (4.9/10)

The decisive factor is compounded exploit friction: this is Android-only, user-driven, confidentiality-only, and the attacker must still win a timing-sensitive race rather than trigger a deterministic bug. That keeps it relevant but not urgent, especially with no KEV entry, no public PoC, and floor-level EPSS.

HIGH Structured metadata: affected versions, CVSS, disclosure date, patched floor

MEDIUM Real-world exploit chain friction inferred from limited technical detail and restricted bug context

Why this verdict

Android-only narrows reach: this is not a broad desktop Chrome fire; it only applies to Chrome on Android, which materially shrinks the exposed enterprise population.
User interaction is mandatory: the attacker must get the victim to open crafted HTML, which implies phishing/adversary-controlled content delivery rather than unauthenticated internet exploitation.
Race conditions are unreliable at scale: the bug class itself adds attacker friction because exploitation depends on timing and browser state, not just serving one malicious payload.
Confidentiality-only impact caps severity: the published impact is cross-origin data leakage, not code execution, sandbox escape, persistence, or device compromise.
Threat intel is cold: no KEV, no public exploitation evidence, no public PoC located, and EPSS is effectively near zero.

Why not higher?

This is not a browser RCE and not a sandbox escape. To get a higher bucket, I would want evidence of active exploitation, a public exploit chain, broader platform reach, or a cleaner deterministic primitive than a geolocation race with confidentiality-only impact.

Why not lower?

It still hits a widely deployed browser and can be triggered remotely through normal web content. Cross-origin leakage in a mainstream mobile browser is not meaningless backlog dust, especially where managed Android devices handle SSO, internal portals, or sensitive web apps.

05 · Compensating Control

What to do — in priority order.

Force Chrome auto-updates through managed Google Play — If you manage Android with Google endpoint management or EMM, make sure Chrome is approved and auto-updating so the vulnerable version ages out naturally. For a MEDIUM reassessment there is no mitigation SLA, so use this as normal hygiene while you work toward patch completion inside the 365-day remediation window.
Inventory Android Chrome versions now — Pull an MDM/EMM report for com.android.chrome and isolate devices below 149.0.7827.53; that gives you the real denominator instead of arguing from theoretical exposure. For MEDIUM, there is no mitigation SLA — go straight to remediation tracking and keep the straggler list moving toward the 365-day deadline.
Minimize Chrome geolocation permissions where business use does not require them — Where policy allows, revoke or discourage unnecessary location access for Chrome on managed Android devices to reduce the reachable vulnerable code path. This is a temporary exposure reduction, not a substitute for updating, and it can be rolled into normal mobile hardening work during the 365-day remediation window.
Prefer compliant managed devices for sensitive web access — Route high-value browser workflows—admin panels, finance, HR, privileged SaaS—onto managed devices that enforce app update compliance, instead of hoping unmanaged mobile browsers stay current. There is no mitigation SLA for this verdict, but this control reduces risk immediately while remediation proceeds.

What doesn't work

A server-side patch sprint on your web apps does nothing; the bug sits in the client browser.
A WAF does not reliably stop this class of issue because the exploit lives in normal page rendering and browser state, not a clean inbound signature on your perimeter.
Traditional external scanning is mostly irrelevant; this is not an exposed service you can enumerate from the internet.

06 · Verification

Crowdsourced verification payload.

Run this from an auditor workstation with adb installed against a managed Android device connected over USB or Wi-Fi. Example: ./check_chrome_android.sh ZY22XXXXXX; it needs adb device access only and does not require root.

noisgate-verify.sh

BASHREAD-ONLYSAFE

#!/usr/bin/env bash
# check_chrome_android.sh
# Verify whether Google Chrome on Android is vulnerable to CVE-2026-11145
# Usage: ./check_chrome_android.sh [device-serial]
# Exit codes: 0=PATCHED, 1=VULNERABLE, 2=UNKNOWN/usage, 3=adb/package error

set -u

PKG="com.android.chrome"
PATCHED_VERSION="149.0.7827.53"
ADB_BIN="adb"
SERIAL_ARG=""

if [[ $# -gt 1 ]]; then
  echo "UNKNOWN: Usage: $0 [device-serial]"
  exit 2
fi

if [[ $# -eq 1 ]]; then
  SERIAL_ARG="-s $1"
fi

if ! command -v "$ADB_BIN" >/dev/null 2>&1; then
  echo "UNKNOWN: adb not found in PATH"
  exit 3
fi

# Ensure device is reachable
if ! $ADB_BIN $SERIAL_ARG get-state >/dev/null 2>&1; then
  echo "UNKNOWN: adb device not reachable"
  exit 3
fi

# Pull versionName from package manager
VERSION_RAW="$($ADB_BIN $SERIAL_ARG shell dumpsys package "$PKG" 2>/dev/null | tr -d '\r' | awk -F= '/versionName=/{print $2; exit}')"

if [[ -z "$VERSION_RAW" ]]; then
  echo "UNKNOWN: package $PKG not found or version unavailable"
  exit 3
fi

# Basic semantic compare using sort -V
version_ge() {
  # returns 0 if $1 >= $2
  local a="$1"
  local b="$2"
  local first
  first=$(printf '%s\n%s\n' "$a" "$b" | sort -V | head -n1)
  [[ "$first" == "$b" ]]
}

if version_ge "$VERSION_RAW" "$PATCHED_VERSION"; then
  echo "PATCHED: $PKG version $VERSION_RAW (patched floor: $PATCHED_VERSION)"
  exit 0
else
  echo "VULNERABLE: $PKG version $VERSION_RAW (patched floor: $PATCHED_VERSION)"
  exit 1
fi

07 · Bottom Line

If you remember one thing.

TL;DR

Monday morning, pull a real inventory of managed Android devices running com.android.chrome, identify anything below 149.0.7827.53, and make sure managed Google Play / EMM auto-update is actually enforcing Chrome updates. Because this reassessment lands at MEDIUM with no KEV and no active exploitation evidence, there is no noisgate mitigation SLA — go straight to the 365-day remediation window; in practice, push the browser update in your normal mobile app cycle, watch for update failures and unmanaged stragglers, and complete patching within the noisgate remediation SLA of ≤365 days.

Sources

Peer Review

What defenders are saying.

Submit a review attribution: handle + country only

0 flags selected · stored anonymously

Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.