A freshly disclosed medium-severity vulnerability in Google Chrome for Android is causing headaches for security teams due to a CPE mismatch that leaves scanners blind to the flaw. CVE-2026-11064, published June 4, 2026, describes a race condition in Chrome’s GPU handling that can let an attacker with renderer process access leak sensitive information. The vulnerability affects Chrome on Android prior to version 149.0.7827.53.

Security scanners that rely on the National Vulnerability Database (NVD) Common Platform Enumeration (CPE) data are missing the vulnerable application entirely. The official CPE entry incorrectly maps the vulnerability to a generic Google Android CPE rather than the specific Chrome for Android package. This mismatch means organizations conducting passive vulnerability assessments may falsely believe their mobile Chrome deployments are safe.

GPU Race Condition Opens a Leak Path

Chrome relies heavily on hardware acceleration to deliver smooth browsing. The GPU process handles rendering, video decode, and WebGL operations. A race condition occurs when two operations compete for the same resource without proper synchronization, potentially leading to out-of-bounds reads or writes.

CVE-2026-11064 sits in the inter-process communication (IPC) layer between the renderer and GPU process. A compromised renderer—achievable via a malicious website or a rogue extension—can trigger a carefully timed sequence that causes the GPU process to leak arbitrary data from its memory space. That data might include rendered content from other tabs, user credentials, or even kernel pointers useful for further exploitation.

The Chromium team assigned the bug a medium severity because exploitation requires an attacker to first compromise the renderer sandbox. However, coupling this with a separate code-execution bug could escalate the impact significantly. Google’s advisory notes that it “may potentially be exploited in the wild,” though no active attacks have been confirmed.

Why Your Scanner Says You’re Safe When You’re Not

The NVD listing for CVE-2026-11064 includes a CPE that targets the Android operating system itself: cpe:2.3:o:google:android:*:*:*:*:*:*:*:*. This is a broad family that covers the entire OS, not the Chrome application. Vulnerability management tools that productize NVD data automatically check installed software against CPEs. A device running Chrome for Android will report the application as com.android.chrome (package name) or a matched CPE like cpe:2.3:a:google:chrome:148.*. Since the NVD entry omits that specific application CPE, the scanner sees no match and reports no finding.

“It’s a classic CPE gap,” says a vulnerability analyst who flagged the issue on a community forum. “Admins see a green dashboard, but vulnerable Chrome instances are everywhere on their mobile fleet.”

The mismatch likely stems from how the CVE Numbering Authority (CNA) submitted the record. Google, which assigns CVEs for Chrome via its own CNA, often supplies a minimal CPE set. The MITRE CVE team or NIST then enriches the entry, but delays or data-entry errors can leave application-specific CPEs absent for days or weeks.

Who Is Affected?

Chrome for Android versions before 149.0.7827.53 are vulnerable. The fix shipped in Chrome 149 on June 4, 2026, as part of a stable channel update that also addressed eight other security bugs. Devices that have automatic updates enabled via the Play Store will receive the patch seamlessly. Enterprise-managed devices that pin Chrome to a specific version, or environments where IT blocks auto-updates, remain exposed.

Chromium-based browsers that use the System WebView component on Android—such as Samsung Internet or in-app browsers—might also be affected if they haven’t adopted the latest WebView release (version 149.0.7827.53). The WebView implementation shares the same GPU process model, so the race condition is likely present there as well. Google’s advisory doesn’t explicitly list WebView, but a changelog reference to a “GPU race in Android rendering” suggests the vulnerability spans both components.

Practical Steps to Verify and Fix

Security teams can’t afford to wait for CPE data to be corrected. Here’s a reliable verification method:

  1. Check the Chrome version on managed Android devices. Navigate to chrome://version in the address bar. The Application version string should begin with 149.0.7827.53 or higher.
  2. If using an MDM/EMM solution, pull the installed application inventory. For managed Google Play, query the app version code. The patched version code for Chrome 149 is 782705300 (corresponding to 149.0.7827.53).
  3. Audit WebView versions. Go to Settings > Developer Options > WebView implementation. On unmanaged devices, users can update via the Play Store’s “Android System WebView” listing.
  4. Don’t trust passive scanner results. Until NVD adds the proper CPEs, manually correlate your asset inventory against the known fixed version. Consider using a vulnerability intelligence feed that provides vendor-rescored CPEs.
  5. Force an immediate update if you find older versions. Organizatio ns can push Chrome updates through managed Play Store policies or instruct users to update manually.

For Google Workspace admins, you can verify Chrome OS managed devices, but note that this CVE specifically targets Android. Chrome OS uses a different graphics stack and typically applies security patches through a separate track, though the underlying GPU code may be similar. Google has not issued a separate Chrome OS advisory.

The Bigger Picture: GPU Security in Chrome

GPU vulnerabilities have become a recurring theme in Chrome’s security bulletins. The GPU process, while sandboxed from the renderer, has access to a wide array of hardware drivers that are often closed-source and riddled with their own bugs. A memory leak or race condition in Chrome’s GPU layer can bypass the same-origin policy and expose data across tabs.

CVE-2026-11064 is the third GPU-related flaw disclosed in Chrome 149. The other two—CVE-2026-11062 and CVE-2026-11063—were both high-severity use-after-free vulnerabilities in the Dawn graphics backend. The accumulation of GPU bugs highlights the attack surface expansion that hardware acceleration introduces. Mitigation efforts like isolating GPU tasks per renderer and using Vulkan fences are progressing, but race conditions remain difficult to eradicate entirely.

How the CPE Mismatch Complicates Triage

The CPE mismatch goes beyond a simple scanner oversight. It exposes a flaw in how vulnerability data flows from a vendor to the broader ecosystem. When a CNA like Google publishes a CVE record, it includes a limited set of affected products. The NVD team then enriches the record with full CPE names, often relying on human analysts. During spikes in CVE volume or when a product name is ambiguous, application-specific CPEs can be delayed or omitted.

This mismatch has real consequences:

  • Compliance gaps: Frameworks like FedRAMP or PCI DSS require scanning for all known vulnerabilities. A false-negative from a CPE gap could lead to non-compliance findings during an audit.
  • Incident response blind spots: When a breach occurs, responders may overlook a known vulnerability if their tooling doesn’t flag it. Attackers actively monitor NVD feeds and are aware of CPE gaps.
  • Patch prioritization delays: Dashboards that show “no vulnerable instances” for CVE-2026-11064 reduce the urgency to update, even though the risk remains.

Some vulnerability management platforms are already addressing this. CrowdStrike’s Spotlight, for example, uses a proprietary CPE model that maps CVEs to software titles based on combined vendor data, reducing reliance on NVD’s CPE strings. Qualys and Tenable are expected to update their detection plugins as soon as the correct CPEs are published, but manual verification remains the safest route.

Testing for Exploitation

While no public exploit code has emerged, the vulnerability’s nature makes it relatively straightforward for a skilled attacker to weaponize. A proof-of-concept would involve a malicious webpage that corrupts a renderer process through a separate bug and then triggers the race condition to read back GPU memory. The reliable timing required might need tens of thousands of attempts, but on mobile devices with predictable hardware and low OS noise, it becomes feasible.

Penetration testers can check their own environments by attempt ing to replicate the conditions. A simple test:

  • Set up an Android device with Chrome 148 (build 148.0.6782.139).
  • Access a crafted test page that continuously allocates and frees WebGL textures while sending IPC messages to the GPU.
  • Monitor for abnormal memory reads via logcat. A successful leak might show accesses to memory regions outside the intended texture data.

Organizations running bug bounty programs should ensure that reports citing CVE-2026-11064 are triaged quickly, as the fix is already available and any proof-of-concept can easily be tested against patched versions.

The Road Ahead

Google is expected to update the CVE record with the proper CPEs within the next few days, based on historical patterns. Until then, the security community is filling the gap with shared detection scripts and community-sourced enrichment data. Several open-source security tools, like FleetDM and Wazuh, allow administrators to add custom vulnerability checks that bypass CPE matching entirely.

This incident serves as a reminder that vulnerability management can’t be outsourced solely to automation. Human review and a deep understanding of how CPE data flows are essential to prevent these blind spots. For Chrome on Android, the fix is simple: update to version 149.0.7827.53 or later. The real challenge is finding all the places where Chrome hides in your mobile fleet when your most trusted scanners insist nothing is wrong.