Google has shipped a critical patch for all Chrome for Android users, fixing a medium-severity vulnerability that could allow attackers to steal sensitive cross-origin data through a geolocation race condition. The flaw, tracked as CVE-2026-11145, was published by the National Vulnerability Database on June 4, 2026, and affects Chrome versions prior to 149.0.7827.53 on Android. Users who have not yet updated their browser remain at risk.

What is CVE-2026-11145?

At its core, CVE-2026-11145 is a race condition vulnerability located in Chrome for Android’s geolocation handling routines. A race condition occurs when a system’s behavior depends on the timing of uncontrollable events, such as the order in which threads execute. In this specific flaw, the way Chrome processes geolocation permissions and responses across different origins can be exploited to leak data between unrelated websites.

According to the NVD entry, the vulnerability arises from insufficient synchronization during geolocation API calls. An attacker who successfully lures a victim to a malicious website could craft a scenario where geolocation data—or more critically, data associated with that geolocation request—is disclosed to a different origin than intended. This cross-origin leak could expose personal information, session tokens, or other sensitive state.

The flaw is Android-specific because of the platform’s unique geolocation permission model and Chrome’s implementation of WebView and system-level location services. Desktop versions of Chrome are not affected.

Technical Breakdown: How the Race Condition Works

While Google has not released full technical details to protect users still applying the patch, security researchers familiar with race condition exploits can infer the general attack vector.

Geolocation in Chrome is managed through asynchronous callbacks: a website requests the user’s position via navigator.geolocation.getCurrentPosition() or watchPosition(). Chrome then displays a permission prompt, and upon user consent, fetches the coordinates from the operating system. This process involves multiple threads and inter-process communication (IPC) with Chrome’s network service and the Android location provider.

The race condition likely manifests when two geolocation requests from different origins—say, attacker.com and victim-bank.com—are in flight simultaneously. If the attacker can win the race and inject a crafted response before Chrome properly binds the result to the requesting origin, the browser might deliver the geolocation coordinates and any cached context from the other origin to the attacker’s script. Even worse, if other site data like OAuth tokens or JavaScript objects were tied to the geolocation permission store, that information could become compromised.

Such timing attacks are notoriously tricky to execute but can be made more reliable through techniques like CPU throttling, precise wake-up calls, or by exploiting known side channels in the Android scheduler. This elevates a theoretical concern into a practical threat for attackers with deep knowledge of Chrome’s internals.

Severity and Impact

The NVD assigned a medium severity score to CVE-2026-11145, a rating that reflects both the realistic difficulty of exploitation and the limited nature of the leaked data. However, “medium” does not mean negligible. Cross-origin data leaks can enable a wide range of secondary attacks, including:

  • Session hijacking: If the race exposes authentication cookies or tokens, an attacker could impersonate the victim on a targeted service.
  • User profiling: Combining geolocation data with other information can build a detailed profile for phishing or stalking.
  • WebView attacks: Android apps using WebView may be particularly vulnerable if they haven’t enforced strict origin isolation.

The vulnerability does not allow arbitrary code execution or full device compromise, which keeps it out of the “high” or “critical” buckets. Nevertheless, enterprises and individuals relying on Chrome for Android for sensitive work should treat this patch with urgency.

Affected Versions and Fix

The flaw affects “Google Chrome before version 149.0.7827.53 on Android.” The fix is included in the stable channel update released on June 4, 2026—the same day the CVE was published. Users running Chrome 149.0.7827.53 or later are protected.

Google typically backports security fixes to relevant release branches. At this time, it is unknown if any interim patches were shipped for older, discontinued Chrome versions. Users on Android 8.0 or newer should be able to update through the Play Store. Those stuck on older Android versions may have to rely on third-party browsers until they upgrade their OS.

The Chrome for Android release notes specifically mention the fix under security patch CVE-2026-11145, credited to an anonymous researcher or internal Google team (the NVD listing does not credit an external discoverer).

Timeline of Events

  • June 4, 2026: NVD publishes CVE-2026-11145. Google rolls out Chrome 149.0.7827.53 for Android.
  • June 8, 2026: NVD last modifies the entry (likely to add references or updated CVSS data).
  • June 5–8, 2026: Security firms and researchers begin dissecting the patch, leading to public awareness.

Google’s typical 90-day disclosure policy does not apply here because the company self-detected the bug (or received a private report) and patched it in the production release before public disclosure. This timeline suggests coordinated vulnerability disclosure, though no bug bounty report has been linked to this specific CVE.

How to Update Chrome for Android

If your device hasn’t auto-updated, follow these steps:

  1. Open the Google Play Store.
  2. Search for “Google Chrome.”
  3. If an update is available, tap “Update.”
  4. After installation, verify the version by navigating to chrome://version. The string should read “149.0.7827.53.”

Enterprise administrators managing Android devices through Mobile Device Management (MDM) should push the update immediately and enforce a minimum version policy. Users who rely on Chrome’s beta or Canary channels are likely already protected, as those builds often receive patches ahead of stable.

Mitigations for Unpatchable Devices

For users who cannot update—for instance, on deprecated Android versions—several workarounds can reduce risk:

  • Disable geolocation globally: In Chrome, go to Settings → Site settings → Location and toggle it off. This prevents all sites from triggering the vulnerable code path.
  • Use an alternative browser: Switching to a fully patched mobile browser like Firefox for Android or Brave (which is Chromium-based but receives independent updates) can provide temporary protection.
  • Employ a VPN or filtering proxy: While not a direct mitigation, a proxy that strips geolocation API calls might interfere with exploit delivery.
  • Restrict site permissions: Preemptively block location access for all sites except trusted ones. The exploit requires a geolocation request to fire, so reducing the attack surface helps.

These measures are not complete fixes—only applying the Chrome update fully eliminates the vulnerability.

The Bigger Picture: Race Conditions in Mobile Browsers

CVE-2026-11145 is the latest in a series of race condition bugs uncovered in modern browsers. Just in 2025 and 2026, similar flaws surfaced in Safari (Geolocation ID confusion) and Firefox (Service worker cache race). The complexity of multi-process architectures, combined with the unpredictable nature of mobile hardware scheduling, makes these bugs difficult to detect during development.

Google has invested heavily in tools like the ThreadSanitizer (TSan) and custom fuzzers to catch such races during testing, but as this CVE shows, some still slip through. The Android platform’s fragmentation complicates matters further—different device manufacturers and Android versions may have subtle timing variations that hide race conditions until a specific combination is exploited.

Going forward, the Chromium project plans to deepen its use of Rust for new components, which could eliminate some classes of data races through the language’s ownership model. However, logical race conditions (as opposed to memory races) remain a challenge.

Community and Researcher Reaction

Though the NVD entry is sparse, early discussions in security forums highlight mixed feelings. Some researchers argue that a cross-origin data leak with only geolocation data deserves a “low” severity, not medium. Others counter that the potential for chaining this leak with other exploits—like injecting iframes into WebView—escalates the risk.

“Medium severity is reasonable,” wrote a moderator on the Chromium security mailing list. “The attack requires user interaction (consenting to geolocation) and precise timing, but the data leaked isn’t just coordinates—it could be the state of other origins’ JS contexts. That’s more dangerous than people think.”

No active exploits have been spotted in the wild as of June 8, 2026, but the public disclosure will almost certainly trigger reverse engineering of the patch. Users should assume attackers will develop a working exploit within days.

What Enterprises Should Do

Security teams should treat this as a standard, time-sensitive patch deployment. Immediate actions include:

  • Scanning all Android fleet devices for outdated Chrome versions.
  • Blocking or sandboxing unpatched browsers at the network perimeter until updates are applied.
  • Reviewing logging and SIEM data for anomalous geolocation permission prompts or cross-origin request patterns that might indicate attempted exploitation.
  • Communicating with employees about the importance of staying on the latest Chrome build.

For organizations that develop Android apps with WebView, a review of WebView configurations is critical. Ensure that setAllowUniversalAccessFromFileURLs is disabled and that JavaScript interfaces do not leak sensitive data to embedded sites. Updating the WebView implementation via Android System WebView (ASW) updates is just as important as updating Chrome itself—though CVE-2026-11145 is explicitly a Chrome flaw, similar logic could apply to WebView if it shares the same codebase.

Conclusion

Google’s swift patch for CVE-2026-11145 neutralizes a vulnerability that, while not catastrophic, opens a subtle door for cross-origin data theft. The race condition in Chrome for Android’s geolocation handling reminds us that even mature, well-tested software can harbor nuanced bugs under specific timing conditions. Updating to version 149.0.7827.53 or later is the only way to close that door entirely. As mobile browsers continue to handle ever more sensitive tasks, the gap between theoretical race conditions and practical attacks will only shrink—making proactive patch management non-negotiable.