Google Chrome’s June 4, 2026, security bulletin dropped a critical fix for Android users: CVE-2026-11012, a use-after-free vulnerability in the Serial component, patched in version 149.0.7827.53 and later. The flaw, rated High, allows a remote attacker who has already compromised the renderer process to potentially execute arbitrary code or cause a denial of service via a crafted HTML page. For security teams, the advisory carries a second sting—CPE mismatches in vulnerability scanners can misidentify affected Chrome instances, leaving Android fleets exposed while desktops get false alarms. This deep dive unpacks the technical bug, the platform-specific risk, and the messy CPE landscape that undermines patch verification.

CVE-2026-11012: What We Know

Chrome’s Serial API allows web applications to communicate with serial devices like microcontrollers or USB-to-serial adapters, bridging the physical and digital worlds. On Android, Chrome leverages the platform’s USB host capabilities to expose serial ports to web apps, a feature governed by the Web Serial specification. CVE-2026-11012 arises from a use-after-free condition in this Android-specific serial implementation.

A use-after-free occurs when a program continues to use a pointer to memory after it has been freed. Attackers can exploit this to hijack execution flow, often by placing controlled data in the freed memory region. In Chrome’s multi-process architecture, the renderer process—already a target for initial compromise via a malicious site—would need to be owned first. From there, an attacker could craft a serial-related operation that triggers the bug, escalating privileges or escaping the sandbox.

Google’s advisory is terse: the bug was reported by an external researcher, fixed in stable channel 149.0.7827.53, and affects Android only. The desktop versions (Windows, macOS, Linux) and ChromeOS are not listed as vulnerable, indicating the flaw resided in Android-specific code paths. This narrow scope is a mixed blessing: while the attack surface is contained, mobile devices often lag in patch uptake due to OEM and carrier delays for full system updates, though Chrome itself updates directly via the Play Store.

Anatomy of a Use-After-Free in the Serial API

To understand the real-world risk, consider how the Serial API operates. A web page requests access to a serial port, prompting the user for permission. If granted, the page can open a port, read/write data, and listen for events. The browser tracks these ports with internal objects that map to native handles. A use-after-free could occur if, for example, a port is closed while an asynchronous read operation still holds a reference, or if lifecycle mismanagement in signal handling leads to premature deallocation.

On Android, the integration with USB host services adds complexity. The USB device may be physically disconnected while the web app still thinks it’s active. A missing or incorrect lifecycle hook could leave a dangling pointer when the underlying native object is freed. An attacker who can force such a disconnect—perhaps by triggering a rapid plug/unplug cycle via a malicious accessory—might reliably trigger the bug.

The Patch: Version 149.0.7827.53 and Rollout

Chrome 149.0.7827.53 hit the Google Play Store on June 3, 2026, along with the security bulletin. As always, the update rolls out gradually: some users receive it immediately, others over the following days. Chrome for Android uses the same version number as desktop, but this bug does not affect desktop builds. That parity creates a false sense of uniformity that trips up many asset inventory tools.

The fix itself is a code change that ensures proper reference counting or early invalidation of pointers. Google paid a $7,000 bounty, a moderate sum suggesting a post-renderer-compromise impact and a reasonable exploit difficulty. The payment aligns with Chrome’s reward tiers for High-severity memory safety issues.

CPE Mismatch: When Scanners Get It Wrong

The Common Platform Enumeration (CPE) is the dictionary that vulnerability scanners use to identify software. For Chrome, a typical CPE string looks like cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:* with version ranges. The problem is that Chrome’s monolithic version number spans five platforms—Windows, macOS, Linux, ChromeOS, and Android—yet patches are sometimes platform-specific. A scanner looking for CVE-2026-11012 might flag every instance of Chrome below 149.0.7827.53, triggering alerts on Windows desktops that aren’t vulnerable. Conversely, an Android device running an older build like 149.0.7827.43 could be missed if the asset inventory lacks OS context.

Here’s how the mismatch plays out in practice:

  • False positives: A Windows admin sees a critical Chrome alert, pushes an unnecessary emergency update, and wastes time investigating a non-issue.
  • False negatives: An Android tablet running an unpatched Chrome is overlooked because the scanner assumes all Chrome installations are equal. Attackers love this.
  • Incomplete reporting: Many CPE strings don’t distinguish between Chrome and Chrome for Android. The NVD and other databases often list a single CPE with the product ‘chrome’, but the Android package name is ‘com.android.chrome’ and may be mapped inconsistently.

To combat this, some vendors have introduced separate CPEs for Chrome on Android: cpe:2.3:a:google:chrome_for_android:*:*:*:*:*:*:*:* exists but isn’t universally adopted. Even when it is, the version tracking must align precisely with the Play Store rollout. A scanner that polls the Play Store API might get a publish date but not the precise version number available to each user.

Real-World Impact on Vulnerability Management

For enterprises that rely on NVD feeds and CPE-matching tools, CVE-2026-11012 highlights a blind spot. Consider a fleet with a mix of corporate Windows laptops and Android kiosk devices:

  • The vulnerability scanner identifies all Chrome instances below 149.0.7827.53 as vulnerable.
  • The IT team patches Windows devices first—these weren’t actually vulnerable to this CVE, so the effort is pure overhead.
  • The Android kiosks, however, have Chrome 149.0.7827.47 (released a week earlier). The scanner reports them as vulnerable, but because the patch group shows a high fix rate on Windows, the team mistakenly assumes the risk is largely mitigated.
  • An attacker targeting the kiosk’s Chrome browser via a malicious captive portal or sideloaded web app could exploit the use-after-free to break out of the renderer sandbox and gain control of the device.

This scenario isn’t hypothetical. Similar CPE gaps plagued earlier Android-only Chrome vulnerabilities, such as CVE-2022-0609 (use-after-free in Animation) and CVE-2021-38000 (insufficient validation of untrusted input in Intents). In those cases, organizations that relied solely on CPE scanning often missed the Android exposure until after exploitation reports surfaced.

Fixing the CPE Problem: What Administrators Can Do

Until the CPE ecosystem catches up, security teams should adopt compensating measures:

  • Separate Android-specific Chrome assets: Tag Android devices distinctly and create scanning policies that filter by OS. Many modern VM platforms allow rules like “If OS is Android, scan for Chrome version X; else ignore.”
  • Monitor Play Store build numbers: Google publishes a version history for Chrome on Android. An automated script can pull the latest stable build number and compare it against deployed versions across the fleet.
  • Use the CVE’s platform annotation: The NVD entry for CVE-2026-11012 includes a “product” field that likely says “chrome:android.” Ensure your scanner honors this filter rather than applying the CVE to all Chrome products.
  • Push for better CPE granularity: Vendors and the NVD team are slowly moving toward more precise CPEs. Engage with your scanning tool provider to confirm they support the chrome_for_android CPE.

Broader Context: The Overlap of Mobile and Desktop Threats

Chrome’s unified version numbering is a convenience for users but a headache for defenders. As web platform APIs like Serial, HID, and Bluetooth become richer, platform-specific attack surfaces grow. Android’s implementation of Web Serial, for example, interacts with the kernel’s USB stack and Android’s permission model, completely unlike the desktop implementation that uses platform-specific serial port backends. These differences mean that a bug in one platform rarely affects another, yet CPEs lump them together.

Google has openly discussed the challenge. In security blog posts, the Chrome team stresses that their release notes explicitly list affected platforms, but many aggregators strip that context. The onus falls on vulnerability management platforms to parse and apply the platform field correctly, which requires both technical capability and vigilance as CPE dictionaries evolve.

Recommendations for Security Teams

1. Patch Chrome on Android immediately via the Play Store. Even if your MDM doesn’t force auto-updates, push a policy to upgrade to version 149.0.7827.53 or later. Confirm the version by navigating to chrome://version on the device.

2. Audit your scanner’s Chrome CPE mapping. Generate a report of all Chrome instances detected and their OS. If Android devices appear under a generic Chrome CPE, work with your scanner vendor to apply the correct product discrimination.

3. Establish baseline alerts for mobile browser versions. Because mobile browsers can lag behind desktop updates due to staged rollouts, set thresholds for acceptable version skew and trigger alerts when devices fall too far behind.

4. Review threat models for kiosk and captive portal scenarios. If your organization deploys Android devices in public-facing roles (digital signage, self-checkout, patient check-in), consider locking down Chrome’s web serial access via enterprise policies. You can disable the “serial” permission in managed configurations to block exploitation entirely without waiting for the patch.

What’s Next

Google typically backports fixes to older channels for critical vulnerabilities, but with Chrome 150 on the horizon, the window for a 149.x fix is narrow. If your devices run Chrome Beta or Dev, verify that the patch has been merged; the bug may have been fixed earlier in those channels but under a different internal identifier.

The CVE-2026-11012 case study reinforces a painful truth in vulnerability management: metadata matters as much as the technical fix. Until CPE standards mature to handle platform-specific products cleanly, organizations must manually bridge the gap between what the scanner says and what the actual risk is. For now, double-check your Android Chrome versions, and don’t let a Windows false positive drown out a real mobile threat.