Description
Race in Geolocation in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)
Published: 2026-06-04
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A race condition in the Geolocation API of Google Chrome for Android allows a remote attacker to leak cross-origin data through a specially crafted HTML page. The flaw is a Medium severity issue in Chromium and could enable an attacker to read location data or other protected information that should be isolated between origins, but it does not provide arbitrary code execution or denial of service.

Affected Systems

Google Chrome on Android devices running versions earlier than 149.0.7827.53 are affected. The issue manifests in the stable channel of Chrome for Android and applies to any device that has not yet received the 149.0.7827.53 release or a later update that patches the race condition.

Risk and Exploitability

The Chromium report labels the bug as Medium severity with a CVSS score of 5.3 and a low EPSS score of <1%; the vulnerability is not listed in the CISA KEV catalog. Because the flaw requires a crafted page and user interaction with the Chrome browser on Android, exploitation probability is moderate, but any device running an affected version remains vulnerable to cross-origin data leakage.

Generated by OpenCVE AI on June 8, 2026 at 20:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Chrome to version 149.0.7827.53 or later through the Google Play Store or system update
  • If an update cannot be applied immediately, restrict or disable the Geolocation feature in Chrome’s settings or via device location services to prevent the race condition from being triggered
  • Monitor for future Chrome releases that patch additional vulnerabilities and verify that the device is on the latest stable channel

Generated by OpenCVE AI on June 8, 2026 at 20:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6325-1 chromium security update
History

Mon, 08 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N'}

 cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N'}

Mon, 08 Jun 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Google android
CPEs cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
cpe:2.3:o:google:android:-:*:*:*:*:*:*:*
Vendors & Products Google android

Sun, 07 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Title chromium-browser: Race in Geolocation
Weaknesses CWE-368
References
Metrics threat_severity

None

 threat_severity

Moderate

Sat, 06 Jun 2026 06:15:00 +0000

Type Values Removed Values Added
Title Race Condition in Chrome Geolocation API Allows Cross‑Origin Data Leakage

Sat, 06 Jun 2026 04:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 05 Jun 2026 06:15:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Fri, 05 Jun 2026 05:15:00 +0000

Type Values Removed Values Added
Title Race Condition in Chrome Geolocation API Allows Cross‑Origin Data Leakage

Thu, 04 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Race in Geolocation in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)
Weaknesses CWE-362
References

Subscriptions

Google Android Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-08T18:41:38.971Z

Reserved: 2026-06-04T17:10:28.952Z

Link: CVE-2026-11145

cve-icon Vulnrichment

Updated: 2026-06-06T03:32:45.956Z

cve-icon NVD

Status : Modified

Published: 2026-06-04T23:17:20.780

Modified: 2026-06-08T19:16:40.683

Link: CVE-2026-11145

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-02T00:00:00Z

Links: CVE-2026-11145 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-08T20:30:06Z

Weaknesses
  • CWE-362

    Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

  • CWE-368

    Context Switching Race Condition