CVE-2026-15119

Google · Chrome

A race condition vulnerability in the GetUserMedia API of Google Chrome could allow for unauthorized access or system manipulation.

Executive summary

A race condition vulnerability in Google Chrome’s GetUserMedia API presents a significant security risk, potentially allowing unauthorized access to system resources.

Vulnerability

This vulnerability is caused by a race condition within the GetUserMedia implementation. The flaw can be triggered via a specially crafted web page, potentially allowing an attacker to bypass security constraints or manipulate browser behavior.

Business impact

The vulnerability is rated with a CVSS score of 8.3. This highlights the risk of unauthorized access to sensitive peripherals or data if the race condition is successfully exploited. Such an event could lead to serious privacy breaches and loss of confidentiality for affected users.

Remediation

Immediate Action: Update all Google Chrome instances to the latest patched version provided by the vendor.

Proactive Monitoring: Monitor for unusual permission requests or unexpected behavior regarding browser access to media devices.

Compensating Controls: Use browser policy configurations to limit access to media devices (camera/microphone) to trusted origins only, reducing the attack surface.

Exploitation status

Public Exploit Available: false

Analyst recommendation

Race conditions can be complex to mitigate manually; therefore, applying the vendor-supplied patch is the only reliable method to eliminate this risk. Organizations should prioritize updating their browser fleet to ensure comprehensive protection against this vulnerability.