CVE-2026-10932: Chrome Android Use-After-Free Vulnerability (CVSS 8.8)
Google Chrome for Android contains a use-after-free vulnerability in its UI handling that allows an attacker to send a malicious HTML page to a user. If the user opens it, the flaw can corrupt Chrome's memory and potentially give the attacker control over the browser. The vulnerability was present in Chrome versions before 149.0.7827.53 on Android devices.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.8 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-416
- Affected products
- 2 configuration(s)
- Published / Modified
- 2026-06-04 / 2026-06-17
NVD description (verbatim)
Use after free in UI in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-10932 is a use-after-free condition (CWE-416) in the UI layer of Chromium on Android. The flaw occurs when Chrome references memory that has already been freed, allowing heap corruption when a user navigates to a specially crafted HTML page. This type of memory safety issue is particularly dangerous because it can be exploited remotely without user authentication, though it does require user interaction (opening a link or page). The Chromium project classified this as High severity.
Business impact
Organizations managing Android devices with Chrome users face moderate risk. A successful exploit could allow attackers to compromise the confidentiality, integrity, and availability of data accessed through the browser. For enterprises with sensitive workflows on mobile Chrome—email, banking, internal tools—an unpatched fleet exposes users to potential credential theft, session hijacking, or malware installation. BYOD environments and managed device programs are particularly affected if Chrome updates lag behind release cycles.
Affected systems
Google Chrome on Android devices running version 149.0.7827.52 and earlier are vulnerable. Desktop and iOS versions of Chrome are not affected by this specific flaw. The vulnerability is specific to Android's UI implementation in Chromium. Users on Android should verify their Chrome version in Settings > About Chrome to confirm whether an update is available.
Exploitability
Exploitation requires user interaction—an attacker must trick or socially engineer a user into visiting a malicious webpage. No additional privileges or special conditions are needed on the attacker side; the attack vector is network-based and straightforward once a victim is lured to the crafted page. The CVSS vector (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) reflects high impact across confidentiality, integrity, and availability with low attack complexity. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog, though this does not guarantee exploits do not exist in the wild.
Remediation
Update Google Chrome on Android to version 149.0.7827.53 or later. This is a mandatory security update. Users can enable automatic updates through the Google Play Store settings, or manually check for updates via Settings > About Chrome > Check for updates. Organizations should use Mobile Device Management (MDM) tools to enforce Chrome version policies and ensure timely deployment across managed Android fleets.
Patch guidance
Chrome updates on Android are typically delivered through the Google Play Store. Verify that automatic app updates are enabled in Play Store settings (Settings > Apps > Google Play Store > Play Store settings > Auto-update apps). Enterprise environments should configure MDM policies to mandate Chrome 149.0.7827.53 or later, with a compliance deadline aligned to their patch cycle—commonly 30 days for critical/high-severity mobile vulnerabilities. Monitor device compliance reports to identify any lagging devices. Note: verify exact patch version numbers against Google's official Chrome Release Notes to confirm the build you deploy includes this fix.
Detection guidance
Monitor Chrome version numbers across your managed Android device fleet via MDM reporting. Set alerts if any device reports Chrome version 149.0.7827.52 or lower. Examine network and endpoint logs for suspicious HTML rendering activity or unexpected memory access patterns on Chrome processes, though detection of in-memory exploitation is difficult without EDR. Watch for user reports of Chrome crashes or unusual behavior on Android. Note that this vulnerability requires user interaction, so phishing campaigns or malicious ad networks targeting Chrome users on Android are plausible attack vectors; consider blocking known malicious domains via proxy or DNS filtering.
Why prioritize this
This vulnerability merits rapid patching priority due to its HIGH CVSS score (8.8), remote network exploitability, and impact across confidentiality, integrity, and availability. Although it requires user interaction, Android users frequently browse untrusted content, and social engineering remains highly effective. The absence from the KEV catalog does not diminish urgency; the technical characteristics (memory corruption, heap exploitation potential) make it attractive to threat actors. Organizations should treat this as urgent within a 7–14 day patch window for Android Chrome.
Risk score, explained
The CVSS 3.1 score of 8.8 (HIGH) reflects: (1) Network-based attack vector with no authentication required, (2) Low attack complexity—a single crafted HTML page is sufficient, (3) User interaction required but realistic, (4) High impact on confidentiality, integrity, and availability simultaneously. The score does not include temporal or environmental factors; organizations using Chrome for critical workflows should adjust their internal risk rating upward.
Frequently asked questions
Does this affect Chrome on Windows, macOS, or iOS?
No. This vulnerability is specific to Chromium's Android UI implementation. Desktop and iOS versions have different UI codebases and are not affected by CVE-2026-10932.
What happens if a user is tricked into visiting a malicious webpage?
The attacker's crafted HTML page can trigger the use-after-free condition, corrupting Chrome's heap memory. This could allow the attacker to execute arbitrary code, steal session data, credentials, or other sensitive information, or crash the browser.
Is this vulnerability being exploited in the wild?
As of the publication date, this vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog. However, the absence of known public exploits does not mean attackers are not attempting to exploit it; organizations should assume active threat activity and patch urgently.
How can I check if my Android device is vulnerable?
Open Chrome, tap the three-dot menu, go to Settings > About Chrome. Your current version will be displayed. If it is below 149.0.7827.53, the device is vulnerable. Ensure automatic updates are enabled in the Google Play Store to receive patches automatically.
This analysis is provided for informational purposes and is based on publicly available vulnerability data as of the publication date. SEC.co does not guarantee the completeness or accuracy of third-party vendor information or patch release schedules. Organizations should verify all patch version numbers and compatibility with their devices against official Google and Android vendor advisories before deployment. Exploitation techniques and tooling are not discussed or provided. Organizations are advised to conduct their own risk assessment, testing, and validation in non-production environments prior to widespread patching. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10000HIGHChrome Sandbox Escape via Use-After-Free in Password Handling
- CVE-2026-10001HIGHChrome Sandbox Escape via PerformanceManager Use-After-Free
- CVE-2026-10002HIGHGoogle Chrome PDFium Use-After-Free Vulnerability (CVSS 8.8)
- CVE-2026-10003HIGHChrome Use-After-Free Code Execution Vulnerability Analysis
- CVE-2026-10005HIGHChrome macOS Use-After-Free RCE Vulnerability (7.5 CVSS)
- CVE-2026-10007HIGHChrome Use-After-Free in SVG Arbitrary Code Execution (CVSS 8.8)
- CVE-2026-10012HIGHChrome Skia Use-After-Free Sandbox Escape (v148.0.7778.216)
- CVE-2026-10013HIGHUse-After-Free in Chrome WebCodecs – Patch Guide & Risk Assessment