HIGH 8.3

CVE-2026-10934: Chrome Android Autofill Use-After-Free Sandbox Escape

Google Chrome on Android contains a use-after-free vulnerability in its Autofill feature that could allow an attacker to escape the browser sandbox. The flaw requires an attacker to first compromise Chrome's renderer process—the component responsible for parsing and displaying web content—and then trick a user into visiting a malicious webpage. If successful, the attacker could break out of Chrome's security sandbox and gain broader access to the device. This vulnerability affects Chrome versions prior to 149.0.7827.53 on Android.

Source data · NVD / CISA · public domain

CVSS
3.1 · 8.3 HIGH · CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
Weaknesses (CWE)
CWE-416
Affected products
2 configuration(s)
Published / Modified
2026-06-04 / 2026-06-17

NVD description (verbatim)

Use after free in Autofill in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-10934 is a use-after-free (CWE-416) vulnerability in Google Chrome's Autofill functionality on Android. Use-after-free flaws occur when code accesses memory that has already been freed, potentially allowing an attacker to manipulate that memory and execute arbitrary code. In this case, the vulnerability exists in the renderer process—the sandboxed component that processes HTML and JavaScript. An attacker who has already compromised the renderer can craft a malicious HTML page that triggers the use-after-free condition in Autofill, enabling a sandbox escape. The CVSS 3.1 score of 8.3 (HIGH) reflects the high impact to confidentiality, integrity, and availability, moderated by the requirement for user interaction and a compromised renderer as a prerequisite.

Business impact

This vulnerability represents a significant escalation risk in multi-stage attacks. While a renderer compromise is needed first, successful exploitation could allow attackers to move from a sandboxed browser context to the underlying Android operating system, potentially leading to unauthorized access to sensitive user data, installation of malware, or lateral movement within the device. For organizations where employees use Chrome on Android devices for corporate email, banking, or other sensitive applications, this vulnerability increases the risk profile of those devices. The requirement for prior renderer compromise means this is more likely to affect users who have already clicked on malicious links or installed compromised content, making it part of a broader attack chain rather than a standalone entry point.

Affected systems

Google Chrome on Android versions prior to 149.0.7827.53 are affected. The vulnerability does not impact Chrome on other platforms (Windows, macOS, Linux) based on the CVE description, which specifically mentions Android. Chrome on desktop operating systems may have their own separate Autofill implementations or mitigations. Android users running Chrome 149.0.7827.53 or later are protected.

Exploitability

Exploitation requires two conditions: (1) the attacker must first successfully compromise Chrome's renderer process, and (2) the user must then visit a crafted HTML page while using the compromised renderer. This two-stage requirement significantly limits exploitability in the wild compared to vulnerabilities that can be triggered by simply visiting a malicious site. However, the Chromium security team rated this as HIGH severity, suggesting the post-compromise capabilities are severe. There is currently no evidence of active exploitation (the vulnerability is not listed on the CISA Known Exploited Vulnerabilities catalog), but security teams should assume that skilled attackers will develop reliable exploits once the patch is widely available for comparison.

Remediation

Users and administrators should prioritize updating Google Chrome on Android to version 149.0.7827.53 or later as soon as possible. The patch specifically addresses the use-after-free condition in Autofill. Administrators managing Android devices through Mobile Device Management (MDM) solutions should deploy Chrome updates through their standard patch management workflow. Given the need for prior renderer compromise, complementary defenses include blocking malicious advertisements, enforcing secure browsing policies, and monitoring for signs of renderer exploitation.

Patch guidance

Update Google Chrome on Android to version 149.0.7827.53 or later. Users can check their Chrome version by opening the Chrome app, tapping the three-dot menu, and navigating to Settings > About Chrome, which will display the current version and automatically check for updates. For organizations managing Chrome through enterprise policies, verify that your Mobile Device Management (MDM) policy enforces automatic Chrome updates or deploy the patched version directly. Testing the update in a non-production environment first is recommended to ensure compatibility with line-of-business applications, though Chrome updates are generally low-risk. Confirm patch deployment by verifying that affected devices report Chrome 149.0.7827.53 or higher.

Detection guidance

Detection of active exploitation is difficult because the vulnerability requires prior renderer compromise and a follow-up malicious HTML page. Log aggregation systems monitoring Android devices should look for: (1) unexpected Chrome crashes or restarts, particularly in proximity to suspicious web browsing activity; (2) unusual process behavior or privilege escalation attempts following Chrome activity; (3) unexpected data access or network connections originating from non-Chrome processes shortly after Chrome usage. Memory dumps from affected devices may show artifacts of use-after-free conditions, but require forensic analysis. The most practical detection approach is to ensure all Chrome instances are updated to 149.0.7827.53 or later and monitor for other indicators of renderer compromise, such as malicious advertisements or drive-by download attempts.

Why prioritize this

This vulnerability merits high-priority patching due to its sandbox-escape capability and HIGH CVSS score (8.3), but should not be treated as critical because exploitation requires prior renderer compromise. Organizations should patch within their standard high-priority window (7–14 days for most enterprises) rather than implementing emergency response procedures. The absence of KEV listing and active exploitation reports suggests this is not yet being weaponized at scale, reducing immediate pressure, but the severe nature of sandbox escapes means delay risks. Prioritize devices used by high-value targets (executives, finance staff) or those frequently exposed to untrusted web content.

Risk score, explained

The CVSS 3.1 score of 8.3 (HIGH) reflects: Attack Vector (Network) — the attack is triggered over the network via a malicious webpage; Attack Complexity (High) — exploitation requires prior renderer compromise, a non-trivial condition; Privileges Required (None) — once the renderer is compromised, no additional privileges are needed; User Interaction (Required) — the user must visit the crafted page; Scope (Changed) — the impact extends beyond the vulnerable component (Autofill) to the entire system (sandbox escape); Confidentiality/Integrity/Availability (High) — successful exploitation compromises all three security properties. The score appropriately reflects the severity of a sandbox escape while accounting for the prerequisite renderer compromise.

Frequently asked questions

Do I need to worry about this vulnerability if I don't use Chrome on Android?

This CVE is specific to Chrome on Android. If you use Chrome on Windows, macOS, or Linux, this particular vulnerability does not affect you, though you should stay current with patches for your platform. If you use other browsers (Firefox, Safari, Edge), this vulnerability does not apply, though similar issues may exist in those browsers.

What does 'renderer compromise' mean, and how likely is it to happen to me?

The renderer is Chrome's sandbox—the component that loads and displays web pages. A renderer compromise typically occurs when an attacker exploits another vulnerability in Chrome (or a plugin) to inject malicious code into the renderer process. Users are at higher risk if they frequently visit untrusted websites, click on suspicious links, or have outdated versions of Chrome. The good news is that this CVE requires the attacker to chain it with another exploit; it's not a one-click attack from a website alone.

Why isn't this vulnerability on the CISA Known Exploited Vulnerabilities list?

The KEV catalog tracks vulnerabilities with confirmed active exploitation in the wild. This CVE was recently published (June 2026) and appears not to have been exploited at scale yet. However, the absence from KEV does not mean it is safe to delay patching—sophisticated attackers may be quietly developing exploits. Apply patches promptly based on your standard change management schedule.

Does the patch affect Chrome's performance or functionality?

Google Chrome updates, including security patches, are designed to have minimal performance impact and typically do not change user-visible functionality. The patch specifically addresses the use-after-free condition in Autofill; normal Autofill functionality should continue to work as expected after updating.

This analysis is provided for informational purposes and reflects publicly available information as of the publication date. CVSS scores, patch versions, and affected product versions are sourced from official vendor advisories and NVD records; verify against Google Chrome's official security documentation for the most current information. This vulnerability requires prior renderer compromise and should not be assumed to pose immediate risk to users running current Chrome versions. Organizations should adapt remediation timelines to their risk tolerance and change management processes. SEC.co does not provide legal advice; consult your organization's legal and compliance teams regarding regulatory obligations related to patching timelines. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).