CVE-2026-10896: Use-After-Free in Chrome for iOS Allows Arbitrary Code Execution
A use-after-free vulnerability in Chrome for iOS allows attackers to execute arbitrary code on affected devices when a user visits a malicious website. The flaw exists in memory management within Chrome's iOS implementation and does not require any special user interaction beyond visiting a crafted HTML page. Google has assigned this a Critical severity rating within Chromium's internal severity scale, and CVSS scoring reflects it as HIGH (8.8).
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.8 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-416
- Affected products
- 2 configuration(s)
- Published / Modified
- 2026-06-04 / 2026-06-17
NVD description (verbatim)
Use after free in Chrome for iOS in Google Chrome on iOS prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: Critical)
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-10896 is a use-after-free bug (CWE-416) in the Chrome for iOS rendering engine. The vulnerability arises when Chrome attempts to access a memory object that has already been freed, allowing an attacker-controlled HTML page to trigger code execution in the context of the browser process. The attack vector is network-based with low complexity; no privileges or special configuration are required. User interaction is limited to visiting a webpage, making this a practical remote code execution risk for iOS users running vulnerable Chrome versions.
Business impact
Organizations whose employees use Chrome on iOS devices face direct risk of device compromise and data exfiltration. Attackers exploiting this vulnerability can gain arbitrary code execution, potentially leading to theft of authentication credentials, business communications, browsing data, and access to enterprise resources synced or cached on personal devices. Even in BYOD environments, the risk extends to corporate data accessed through those browsers.
Affected systems
Google Chrome for iOS versions prior to 149.0.7827.53 are vulnerable. The vulnerability also affects Apple iPhone OS, as Chrome for iOS runs on that platform. Organizations should audit deployment of Chrome on iOS and establish baseline versions. Desktop Chrome versions are not affected by this specific iOS-targeted vulnerability.
Exploitability
Exploitability is straightforward: an attacker needs only to host a crafted HTML page and trick or direct a user to visit it. No authentication, elevated privileges, or user-side technical steps are required. The barrier to exploitation is low, making this a practical threat in scenarios involving phishing, malicious advertisements, or compromised websites. The vulnerability has not been added to CISA's Known Exploited Vulnerabilities (KEV) catalog as of the latest update, though active exploitation cannot be ruled out given the critical nature and simplicity of the attack surface.
Remediation
Update Chrome for iOS to version 149.0.7827.53 or later. Google typically releases Chrome updates automatically, but users should verify their installed version via the App Store or within Chrome's settings (Menu > About Google Chrome). IT departments should communicate the update urgently to users and consider deploying Mobile Device Management (MDM) policies to enforce minimum Chrome versions or restrict the browser on corporate devices pending update completion.
Patch guidance
Visit the Chrome App Store listing and confirm the installed version matches 149.0.7827.53 or exceeds it. Automatic updates are enabled by default on most iOS devices; however, users should check Settings > [Your Name] > iTunes & App Store and confirm automatic app updates are enabled. For enterprise environments, use MDM solutions (Intune, Jamf, MobileIron) to enforce version compliance and restrict usage of older builds. Verification should be completed within 48 hours of patch availability given the critical severity.
Detection guidance
Monitor device inventory for Chrome installations and version numbers via MDM telemetry. Log unusual network activity or crashes on iOS devices correlating with user browsing. Endpoint Detection and Response (EDR) solutions with iOS support can flag suspicious code execution patterns. Network-based detection is limited without on-device logging; prioritize user education to report suspicious browser crashes or unexpected device behavior. Check App Store management consoles for deployment status of the patched version.
Why prioritize this
This vulnerability merits immediate prioritization due to the combination of remote exploitability, arbitrary code execution impact, and the ubiquity of iOS in the workforce. The attack requires no user sophistication beyond visiting a webpage, and the consequences—device compromise, credential theft, lateral movement—are severe. Despite not yet appearing in the KEV catalog, the low barrier to weaponization and high potential for abuse in targeted phishing campaigns justify urgent remediation.
Risk score, explained
The CVSS 3.1 score of 8.8 (HIGH) reflects a network-accessible vulnerability with low attack complexity, no privilege requirement, and high impact across confidentiality, integrity, and availability. While Chromium's internal severity is Critical, the CVSS HIGH rating aligns with practical risk: exploitation is trivial, but impact is contingent on user browsing behavior and attacker targeting. Organizations should treat this as a Critical priority in their own risk models given the business context and attack surface.
Frequently asked questions
Will Chrome update automatically on my iOS device?
Yes, by default. However, users should verify by going to Settings > [Your Name] > iTunes & App Store and confirming automatic app updates are enabled. Forced updates can also be configured via Mobile Device Management in enterprise environments.
Are desktop Chrome users affected?
No, this vulnerability is specific to Chrome for iOS. Desktop Chrome (Windows, macOS, Linux) is not affected by CVE-2026-10896.
Can this vulnerability be exploited without user interaction?
The attacker must convince the user to visit a malicious webpage. This typically occurs through phishing, malicious ads, or compromised legitimate sites. There is no known attack vector that bypasses the requirement for user browsing.
How can we enforce compliance in a BYOD environment?
Use Mobile Device Management platforms (Intune, Jamf, etc.) to set minimum app version requirements, restrict unapproved browsers, or require device enrollment. For unmanaged devices, communicate the update urgently to users and monitor for compliance through app store telemetry where available.
This analysis is provided for informational purposes and does not constitute professional security advice. Organizations should conduct their own risk assessment and verification of patch applicability before deployment. Version numbers and patch guidance are based on vendor advisories as of the publication date; verify against the latest Google Chrome release notes and Apple security documentation. Exploitation status, active attack campaigns, and KEV inclusion may change; monitor CISA advisories and vendor security bulletins for updates. This vulnerability is described as Critical by Google but scored HIGH in CVSS 3.1; prioritize according to your organizational risk model and affected asset inventory. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10001HIGHChrome Sandbox Escape via PerformanceManager Use-After-Free
- CVE-2026-10002HIGHGoogle Chrome PDFium Use-After-Free Vulnerability (CVSS 8.8)
- CVE-2026-10003HIGHChrome Use-After-Free Code Execution Vulnerability Analysis
- CVE-2026-10005HIGHChrome macOS Use-After-Free RCE Vulnerability (7.5 CVSS)
- CVE-2026-10007HIGHChrome Use-After-Free in SVG Arbitrary Code Execution (CVSS 8.8)
- CVE-2026-10012HIGHChrome Skia Use-After-Free Sandbox Escape (v148.0.7778.216)
- CVE-2026-10013HIGHUse-After-Free in Chrome WebCodecs – Patch Guide & Risk Assessment
- CVE-2026-10016HIGHUse-After-Free in Chrome DOM – Sandbox Code Execution Vulnerability