HIGH 8.8

CVE-2026-10923: Chrome Android Use-After-Free Code Execution Vulnerability

A use-after-free memory flaw in Google Chrome's web app installation feature for Android allows a local attacker to crash the browser or execute arbitrary code by providing a malicious file. The vulnerability affects Chrome versions before 149.0.7827.53 and requires user interaction (opening or installing a crafted app). While the attack requires local access and user involvement, the consequences—including full system compromise through code execution—make this a significant risk for Android users.

Source data · NVD / CISA · public domain

CVSS
3.1 · 8.8 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-416
Affected products
2 configuration(s)
Published / Modified
2026-06-04 / 2026-06-17

NVD description (verbatim)

Use after free in WebAppInstalls in Google Chrome on Android prior to 149.0.7827.53 allowed a local attacker to execute arbitrary code via a malicious file. (Chromium security severity: High)

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-10923 is a use-after-free vulnerability (CWE-416) in the WebAppInstalls component of Google Chrome on Android. The flaw occurs when Chrome references memory that has already been freed during web app installation processing. An attacker can exploit this by crafting a malicious file or app manifest that triggers unsafe memory access. The vulnerability carries a CVSS 3.1 score of 8.8 (HIGH) with a network attack vector, low complexity, no privilege requirement, and user interaction needed. Impact spans confidentiality, integrity, and availability—meaning successful exploitation can lead to data theft, system modification, or denial of service.

Business impact

For organizations and users managing Android devices, this vulnerability poses a material risk if Chrome is the primary browser or web app platform. Exploitation could lead to unauthorized access to sensitive data stored in or accessible through Chrome, modification of web app content or functionality, or device-level compromise if the attacker escalates from browser context. Organizations with bring-your-own-device (BYOD) programs or relying on Chrome-based enterprise web apps should prioritize remediation to prevent breach scenarios. The requirement for user interaction (e.g., accepting a malicious app installation) lowers the attack surface somewhat but does not eliminate risk in social engineering or supply-chain scenarios.

Affected systems

Google Chrome on Android versions prior to 149.0.7827.53 are affected. The vulnerability specifically impacts the WebAppInstalls subsystem, meaning users who install web apps or progressive web apps (PWAs) through Chrome are at direct risk. Any Android device running an unpatched Chrome version is vulnerable if a user interacts with a malicious app installation file or manifest. Desktop Chrome and Chrome on other platforms are not affected by this particular flaw.

Exploitability

The vulnerability requires a local attacker and user interaction to trigger, which somewhat constrains real-world exploitability compared to network-only flaws. However, the bar for triggering exploitation is relatively low: a user must open or attempt to install a malicious file or PWA manifest. Social engineering, phishing, or distribution through compromised app stores or websites could effectively deliver the payload. Once triggered, the memory corruption can be weaponized to execute arbitrary code with the privileges of the Chrome process, potentially accessing user data and installed apps. No public exploit code is known to be widely available, but the vulnerability is straightforward enough that skilled attackers could develop reliable exploitation techniques.

Remediation

Update Google Chrome on Android to version 149.0.7827.53 or later. Users can check and install updates via the Google Play Store or the Chrome app's built-in update mechanism. Organizations should enforce Chrome version policies through mobile device management (MDM) solutions to ensure timely patching across managed Android devices. Users should avoid opening or installing web apps from untrusted sources in the interim.

Patch guidance

Verify that Chrome has been updated to version 149.0.7827.53 or later by checking Settings > About Chrome on the affected Android device. The Play Store will automatically notify users of available updates, and most devices will install patches within days of release. For enterprise deployments, use MDM platforms (Google Mobile Device Management, Microsoft Intune, Samsung Knox, etc.) to enforce minimum Chrome versions and block older releases. Test patch deployment in a pilot group before organization-wide rollout to confirm compatibility with critical web apps or progressive web app deployments.

Detection guidance

Monitor Chrome version compliance across your Android fleet using MDM telemetry or mobile threat detection platforms. Look for indicators of compromise such as unexpected Chrome process crashes, unusual network activity from the browser, or unauthorized modifications to stored web app data. Endpoint detection and response (EDR) solutions on Android can flag suspicious memory access patterns or process behavior stemming from use-after-free exploitation. User reports of browser crashes when interacting with web apps should be investigated as potential exploitation attempts.

Why prioritize this

Despite requiring user interaction, this vulnerability merits high priority due to its severe impact (code execution with potential full device compromise), the widespread adoption of Chrome on Android, and the relative ease of delivering a malicious app file via social engineering or compromised distribution channels. The CVSS 8.8 score reflects the combination of high impact and low attack complexity. Organizations with large Android user bases, BYOD programs, or reliance on web apps should treat this as urgent.

Risk score, explained

The CVSS 3.1 score of 8.8 reflects a vulnerability with HIGH severity. The network attack vector acknowledges that malicious files can be distributed online; low complexity indicates no special skills are needed to craft an exploit; no privilege requirement means any app can trigger the flaw; and user interaction is required (clicking or installing). The impact scope is unchanged (confined to the vulnerable component), but confidentiality, integrity, and availability are all rated as HIGH because code execution allows the attacker to read sensitive data, modify browser state and data, and crash or disable the browser. This combination yields a score in the upper range of the HIGH band.

Frequently asked questions

I'm running Chrome on Android. Do I need to update right now?

Yes. If your Chrome version is below 149.0.7827.53, you should update immediately. Check Settings > About Chrome to see your current version and install any available updates from the Play Store. This flaw allows code execution if you interact with a malicious app file, so timely patching closes the door on a serious attack vector.

What exactly triggers this vulnerability?

The flaw is triggered when Chrome attempts to install or process a specially crafted web app or progressive web app (PWA) manifest file. An attacker must get you to open or install this malicious file—typically through phishing, a compromised website, or a social engineering attempt. Simply visiting a website is not enough; you must take an action related to app installation.

Does this affect Chrome on my desktop or iPhone?

No. This vulnerability is specific to Chrome on Android. Chrome on Windows, macOS, Linux, iOS, and other platforms are unaffected by this particular flaw. However, you should keep all browsers and devices up to date as a general security practice.

If I don't use web apps or PWAs, am I safe?

While web app installation is the attack vector, the underlying memory corruption could potentially be triggered through other means. It's safer to assume the vulnerability affects all Chrome users on Android versions prior to 149.0.7827.53 and update regardless of your app usage patterns.

This analysis is provided for informational purposes and represents a point-in-time assessment. Vulnerabilities evolve as new exploits, workarounds, and patches become available. Organizations should verify patch applicability, compatibility, and deployment timing against their own risk posture and device inventory. Always consult official vendor advisories and release notes before applying patches in production environments. SEC.co does not provide legal liability guarantees and recommends independent validation of all security recommendations. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).