CVE-2026-15119
Google · Chrome
A race condition vulnerability in the GetUserMedia API of Google Chrome could allow for unauthorized access or system manipulation.
Executive summary
A race condition vulnerability in Google Chrome’s GetUserMedia API presents a significant security risk, potentially allowing unauthorized access to system resources.
Vulnerability
This vulnerability is caused by a race condition within the GetUserMedia implementation. The flaw can be triggered via a specially crafted web page, potentially allowing an attacker to bypass security constraints or manipulate browser behavior.
Business impact
The vulnerability is rated with a CVSS score of 8.3. This highlights the risk of unauthorized access to sensitive peripherals or data if the race condition is successfully exploited. Such an event could lead to serious privacy breaches and loss of confidentiality for affected users.
Remediation
Immediate Action: Update all Google Chrome instances to the latest patched version provided by the vendor.
Proactive Monitoring: Monitor for unusual permission requests or unexpected behavior regarding browser access to media devices.
Compensating Controls: Use browser policy configurations to limit access to media devices (camera/microphone) to trusted origins only, reducing the attack surface.
Exploitation status
Public Exploit Available: false
Analyst recommendation
Race conditions can be complex to mitigate manually; therefore, applying the vendor-supplied patch is the only reliable method to eliminate this risk. Organizations should prioritize updating their browser fleet to ensure comprehensive protection against this vulnerability.