HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-11082Published Modified CNA Chrome

CVE-2026-11082: Race in GPU in Google Chrome on Android prior to 149

Race in GPU in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium)

Metrics

CVSS v3.1
9.6
Severity
CRITICAL
Fixed in
149.0.7827.53
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

This is a race condition in the GPU process of Google Chrome for Android, affecting all versions prior to 149.0.7827.53. The vulnerability is reachable over the network and requires no authentication, but does require a victim to visit a crafted HTML page; however, the attacker must have already compromised the renderer process as a prerequisite. Successful exploitation achieves a sandbox escape, giving the attacker full read, write, and availability impact outside the Chrome sandbox with effects crossing into the broader system scope. A patched-image rebuild at version 149.0.7827.53 is available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built Android-based container images that bundle a Chrome binary. Affected image layers are flagged regardless of where they appear in the image hierarchy.

Available
Triage

HarborGuard scores this CVE at CVSS 9.6 (Critical) and applies per-environment compliance policy weighting to prioritize routing. Triage results are delivered to the appropriate team inbox within each customer organization based on configured ownership rules.

Available
Patch

A patched-image rebuild pinned to Chrome 149.0.7827.53 becomes available on HarborGuard for any environment running an affected version. For customers who opt into auto-remediation, HarborGuard runs the rebuild, executes a regression test suite, and opens a PR against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker delivers the exploit over the network by directing the victim to a crafted HTML page hosted remotely.

  • AuthenticationNot required

    No account or credential is needed; the attack is launched against an unauthenticated browser session.

  • Victim interactionRequired

    The victim must open or be redirected to a crafted HTML page, making social engineering or malicious ad delivery the likely delivery vector.

  • Attack complexityDetail

    Although the underlying trigger is a race condition, the CVSS vector rates attack complexity as Low, indicating the exploit is considered reliable and does not depend on specific environmental conditions beyond the renderer compromise prerequisite.

Blast Radius

  • Attacker escapes the Chrome sandbox and gains execution context outside the renderer, breaking the primary security boundary of the browser.
  • Confidentiality is fully compromised: the attacker can read files, credentials, session tokens, and any data accessible to the Chrome process or the underlying OS user.
  • Integrity is fully compromised: the attacker can write or modify files, inject code into other processes, and persist malicious payloads on the device.
  • Availability is fully compromised: the attacker can crash, terminate, or otherwise disrupt Chrome and other processes running under the same user account.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-11082 is active across all customer environments and matches against any image bundling a Chrome for Android binary older than 149.0.7827.53. Given the Critical severity (CVSS 9.6) and sandbox-escape impact, this CVE is surfaced at the highest priority tier. Where compliance policy permits, auto-remediation customers receive a rebuilt image at the patched version, a regression test run, and a PR opened against affected workloads; median time from CVE publication to merged patch PR for critical-severity issues is around 90 minutes for environments with auto-remediation enabled. For environments where auto-remediation is not enabled, HarborGuard surfaces the finding immediately so teams can manually trigger a rebuild. As a compensating control until patching is complete, network policy isolation restricting outbound renderer process communication and disabling the affected GPU-accelerated code paths via feature flags can reduce exposure.

See how HarborGuard automates this

Fix available

149.0.7827.53
Affected packages
  • Google / Chrome
    < 149.0.7827.53 (from 149.0.7827.53)
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
References