CVE-2026-10915: Chrome iOS Sandbox Escape via Use-After-Free
A use-after-free memory vulnerability exists in Google Chrome on iOS that allows an attacker who has already compromised the browser's renderer process to break out of the sandbox and gain deeper system access. The vulnerability requires the attacker to serve a specially crafted HTML page and involves a complex attack chain but poses severe risk because successful exploitation can lead to full compromise of the device. Chrome versions prior to 149.0.7827.53 on iOS are affected.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.3 HIGH · CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-416
- Affected products
- 2 configuration(s)
- Published / Modified
- 2026-06-04 / 2026-06-17
NVD description (verbatim)
Use after free in Core in Google Chrome on iOS prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-10915 is a use-after-free vulnerability (CWE-416) in Chrome's Core component on iOS. The flaw exists in memory management where an object is referenced after it has been freed, creating a window for an attacker to manipulate heap state and execute arbitrary code. The vulnerability requires two preconditions: first, the attacker must already control the renderer process (typically through a separate renderer exploit), and second, the user must visit a malicious HTML page. Upon successful exploitation, the attacker can escape the sandbox—Chrome's primary isolation mechanism—potentially gaining access to files, credentials, and capabilities normally restricted to the app sandbox. Chromium has assigned this a High security severity rating.
Business impact
A sandbox escape in Chrome on iOS significantly elevates risk for organizations with mobile workforces. While the vulnerability requires prior renderer compromise, it removes a critical layer of protection between the attacker and sensitive device resources. For enterprises managing iOS devices with sensitive data, successful exploitation could enable theft of enterprise data stored in or accessible to Chrome, compromise of authentication tokens, and potential lateral movement to other apps or system services. The attack surface is limited to users who encounter malicious HTML while using Chrome, but no user warning may alert them to the danger.
Affected systems
Google Chrome on Apple iOS running versions prior to 149.0.7827.53 are vulnerable. The vulnerability does not affect Chrome on Android, macOS, Windows, Linux, or other platforms—it is specific to the iOS implementation. All users on affected Chrome versions should be considered at risk if they visit untrusted websites or click links from untrusted sources.
Exploitability
Exploitation requires a two-stage attack: first, the renderer process must be compromised through a separate vulnerability or technique, and second, the victim must visit attacker-controlled HTML. The CVSS vector indicates High complexity (AC:H), reflecting these requirements. While the barrier to entry is elevated compared to single-stage vulnerabilities, attackers motivated enough to develop or chain exploits could reasonably execute this attack. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog as of the available data, suggesting no widespread active exploitation has been reported, though absence from KEV does not mean exploitation is impossible.
Remediation
Users must update Chrome on iOS to version 149.0.7827.53 or later. Apple's App Store will distribute this update automatically for users with automatic updates enabled. IT administrators managing enterprise iOS devices should verify the update has been deployed across their device fleet and confirm version numbers through their mobile device management (MDM) platform. Until patched, users should avoid visiting untrusted websites and be cautious of links from unknown senders, though these controls do not eliminate risk for targeted users.
Patch guidance
Apply Chrome version 149.0.7827.53 or any subsequent version to iOS devices. Check the App Store for available updates or enable automatic updates in iOS settings (Settings > General > Software Update > Automatic Updates). For enterprise-managed devices, use MDM tools to push the update and verify compliance. Test the patch in a non-production environment if your organization has custom web applications accessed through Chrome to ensure compatibility. Rollback to prior versions is not recommended; instead, ensure all devices advance to the patched version.
Detection guidance
Monitor Chrome version numbers across managed iOS devices using your MDM solution to identify devices still running versions prior to 149.0.7827.53. Check device logs and security tools for signs of renderer process compromise, such as unusual process termination, memory access violations, or suspicious app behavior. Endpoint detection and response (EDR) tools on iOS (if deployed) should be tuned to flag unexpected privilege escalation attempts or sandbox escape indicators. Network-based detection is limited for this vulnerability, as malicious HTML is delivered over normal HTTPS traffic and does not produce distinct signatures.
Why prioritize this
This vulnerability merits urgent but not emergency patching. The CVSS score of 8.3 reflects High severity; the required precondition (prior renderer compromise) prevents it from being Critical. Prioritize patching for users who handle sensitive data, access enterprise systems from iOS Chrome, or are likely targets for phishing or watering hole attacks. Organizations in regulated industries or facing advanced adversaries should accelerate deployment to all users. Standard business users can follow normal patch cycles, though delay of more than 1–2 weeks is not advised.
Risk score, explained
The CVSS 3.1 score of 8.3 (High) factors: Network-based attack vector (AV:N), High complexity reflecting the requirement for prior renderer compromise (AC:H), no special privileges needed to trigger the HTML delivery (PR:N), but user interaction required to visit the malicious page (UI:R). The scope is Changed (S:C) because the vulnerability can break out of the sandbox; confidentiality, integrity, and availability are all rated High (C:H/I:H/A:H) because successful exploitation can read arbitrary data, modify system state, and disrupt services. The High complexity moderates what would otherwise be a Critical rating.
Frequently asked questions
Do I need to be targeted specifically for this vulnerability to affect me?
Not necessarily. An attacker could host a malicious HTML page on a public website or compromise a legitimate website to serve the malicious content. If you visit that site with a vulnerable version of Chrome on iOS, you could be at risk. However, the attacker would first need to compromise the renderer process through a separate vulnerability, so this is not a single-click exploit for the average victim.
Does this vulnerability affect Chrome on other platforms like Android or macOS?
No. This vulnerability is specific to Chrome on iOS. It does not affect Android, macOS, Windows, or Linux versions of Chrome. If you use Chrome on those platforms, you are not vulnerable to CVE-2026-10915, though you should keep all platforms updated for other security reasons.
If I have automatic updates enabled, am I protected?
Yes, assuming your automatic updates are working correctly. With automatic updates enabled in iOS settings, Chrome will update to version 149.0.7827.53 or later automatically. However, you should verify that the update has completed by checking Chrome's version number in the App Store or in the Chrome app itself. If automatic updates are disabled, you must manually update.
What should I do if I suspect my device has been compromised through this vulnerability?
If you believe your device has been targeted, do not assume the attack succeeded simply because you visited a suspicious link. To be safe: (1) update Chrome immediately, (2) consider running a malware scan if your iOS device supports it, (3) change passwords for sensitive accounts, (4) monitor your accounts and credit reports for unauthorized activity, and (5) contact your IT support team or a security professional if you handle sensitive business information.
This analysis is based on publicly available vulnerability data and vendor advisories current as of the publication date. Patch version numbers, affected product versions, and severity ratings are sourced from official vendor statements and should be verified against the most current vendor security advisories before deployment. SEC.co makes no warranty regarding the completeness or accuracy of this analysis and recommends security teams consult their vendors' official guidance for definitive patch and mitigation information. No exploit code or weaponized proof-of-concept is provided; this material is intended for defensive purposes only. Organizations should implement their own risk assessment and patch management processes in accordance with their security policies and regulatory obligations. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10001HIGHChrome Sandbox Escape via PerformanceManager Use-After-Free
- CVE-2026-10002HIGHGoogle Chrome PDFium Use-After-Free Vulnerability (CVSS 8.8)
- CVE-2026-10003HIGHChrome Use-After-Free Code Execution Vulnerability Analysis
- CVE-2026-10005HIGHChrome macOS Use-After-Free RCE Vulnerability (7.5 CVSS)
- CVE-2026-10007HIGHChrome Use-After-Free in SVG Arbitrary Code Execution (CVSS 8.8)
- CVE-2026-10012HIGHChrome Skia Use-After-Free Sandbox Escape (v148.0.7778.216)
- CVE-2026-10013HIGHUse-After-Free in Chrome WebCodecs – Patch Guide & Risk Assessment
- CVE-2026-10016HIGHUse-After-Free in Chrome DOM – Sandbox Code Execution Vulnerability