CVE-2026-10951: iOS Chrome Autofill Use-After-Free (CVSS 8.8)
A use-after-free flaw in Chrome's Autofill feature on iOS allows attackers to corrupt device memory if a user is tricked into performing specific interactions with a malicious webpage. The vulnerability requires user interaction but can lead to complete system compromise—reading sensitive data, modifying files, or crashing the browser.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.8 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-416
- Affected products
- 2 configuration(s)
- Published / Modified
- 2026-06-04 / 2026-06-17
NVD description (verbatim)
Use after free in Autofill in Google Chrome on iOS prior to 149.0.7827.53 allowed a remote attacker who convinced a user to engage in specific UI gestures to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-10951 is a use-after-free vulnerability (CWE-416) in the Autofill subsystem of Google Chrome on iOS versions prior to 149.0.7827.53. The flaw allows an attacker to trigger heap corruption through a specially crafted HTML page combined with specific UI gestures. The vulnerability resides in memory management within the Autofill component, where a freed object may still be referenced after deallocation, leading to undefined behavior and potential code execution. The Chromium security team rated this as High severity.
Business impact
iOS users relying on Chrome face the risk of credential theft if they interact with malicious pages while autofill prompts are active. In enterprise environments where Chrome is a supported browser on BYOD or corporate iOS devices, this vulnerability could enable attackers to exfiltrate passwords, payment information, or session cookies stored in the browser. The requirement for user interaction reduces the attack surface but does not eliminate it—social engineering, drive-by downloads, or phishing remain effective delivery vectors. Organizations without patch deployment mechanisms for managed iOS devices may face prolonged exposure.
Affected systems
Google Chrome on Apple iOS devices running versions prior to 149.0.7827.53 are affected. Desktop and Android versions of Chrome are not impacted by this specific flaw. iOS users across all supported device models running vulnerable Chrome versions are at risk.
Exploitability
The vulnerability requires a user to visit a crafted webpage and perform specific UI interactions—likely related to triggering or interacting with autofill suggestions. This user-interaction requirement prevents worm-like propagation or mass infection but remains a practical attack vector through phishing, malicious advertisements, or compromised legitimate websites. No public exploit code is currently documented, and the flaw has not been added to the CISA Known Exploited Vulnerabilities catalog.
Remediation
Update Google Chrome on iOS to version 149.0.7827.53 or later. Users should enable automatic updates in the App Store settings to ensure timely patching. Organizations managing iOS fleets should enforce minimum Chrome version policies through their mobile device management (MDM) platform and verify compliance within 30 days of the patch release.
Patch guidance
Navigate to the Apple App Store, search for Google Chrome, and install the latest available version. Confirm the installed version matches 149.0.7827.53 or higher by opening Chrome, tapping the menu icon (three horizontal lines), selecting 'Settings,' then 'About Google Chrome'—the version number displays at the top. For enterprise iOS management, push the updated Chrome package through your MDM solution and set a compliance deadline. Verify patching on a sample of managed devices before closing the remediation ticket.
Detection guidance
Monitor for Chrome version numbers below 149.0.7827.53 on iOS devices via MDM telemetry or inventory management tools. Check for unusual autofill-related crashes or browser terminations in crash analytics. Implement network segmentation to reduce the blast radius if a device becomes compromised. Consider blocking access to high-risk external websites from iOS Chrome clients, or require VPN-protected browsing for sensitive authentication scenarios.
Why prioritize this
This vulnerability combines a high CVSS score (8.8), potential for memory corruption leading to code execution, and a popular attack surface (iOS Chrome on millions of devices). Although exploitation requires user interaction, the combination of autofill prominence in typical user workflows and the pervasive nature of phishing makes this a material risk. The lack of KEV listing suggests limited real-world exploitation to date, but organizations should not delay patching, as it may change rapidly.
Risk score, explained
The CVSS 3.1 score of 8.8 (HIGH) reflects the vulnerability's network-accessible attack vector (AV:N), low attack complexity (AC:L), lack of authentication requirements (PR:N), user-interaction dependency (UI:R), and impact on confidentiality, integrity, and availability (C:H/I:H/A:H). The user-interaction requirement prevents a perfect 9.0+ score, but the scope remains unchanged (S:U), meaning exploitation is limited to the affected Chrome process. The severity is justified given that heap corruption can escalate to arbitrary code execution.
Frequently asked questions
Does this affect Chrome on Android or desktop?
No. This use-after-free flaw is specific to the iOS implementation of Chrome's Autofill feature. Android and desktop versions are not vulnerable to CVE-2026-10951, though users should keep all platforms updated for other security improvements.
Can this vulnerability be exploited without user interaction?
No. The attacker must convince the user to visit a crafted webpage and perform specific UI gestures—typically interacting with autofill suggestions. This requirement significantly reduces passive exploitation scenarios, though phishing and social engineering remain effective delivery mechanisms.
Is there a workaround if I cannot patch immediately?
Disable autofill in Chrome settings (Settings > Passwords and Autofill) to reduce the attack surface. However, this is a temporary measure. Prioritize patching within 48–72 hours. If you manage iOS devices through MDM, ensure the patch is approved and enforced without delay.
What information could an attacker steal through this vulnerability?
By triggering heap corruption, an attacker could potentially read or modify data in the Chrome process memory, including passwords, session cookies, credit card information, and personal details stored in autofill fields. Depending on exploit sophistication, full device compromise is theoretically possible, though current evidence suggests limited real-world exploitation.
This vulnerability analysis is based on official Chrome and CVSS information current as of the publication date. Security severity and patch availability may change; always consult the official Google Chrome Release Notes and Apple security advisories for authoritative updates. No exploit code is provided or endorsed. Organizations should validate patch deployment in test environments before production rollout. This analysis does not constitute professional security advice; engage qualified security personnel for your organization's specific risk posture and compliance obligations. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10001HIGHChrome Sandbox Escape via PerformanceManager Use-After-Free
- CVE-2026-10002HIGHGoogle Chrome PDFium Use-After-Free Vulnerability (CVSS 8.8)
- CVE-2026-10003HIGHChrome Use-After-Free Code Execution Vulnerability Analysis
- CVE-2026-10005HIGHChrome macOS Use-After-Free RCE Vulnerability (7.5 CVSS)
- CVE-2026-10007HIGHChrome Use-After-Free in SVG Arbitrary Code Execution (CVSS 8.8)
- CVE-2026-10012HIGHChrome Skia Use-After-Free Sandbox Escape (v148.0.7778.216)
- CVE-2026-10013HIGHUse-After-Free in Chrome WebCodecs – Patch Guide & Risk Assessment
- CVE-2026-10016HIGHUse-After-Free in Chrome DOM – Sandbox Code Execution Vulnerability