CVE-2026-10952: Critical Chrome iOS Use-After-Free Vulnerability
A use-after-free vulnerability in Google Chrome for iOS allows attackers to corrupt memory on affected iPhones by tricking users into visiting a malicious website. The flaw exists in how Chrome handles certain objects in memory after they've been freed, leaving dangling references that an attacker can manipulate through a crafted HTML page. If successfully exploited, this could lead to arbitrary code execution on the victim's device.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.8 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-416
- Affected products
- 2 configuration(s)
- Published / Modified
- 2026-06-04 / 2026-06-17
NVD description (verbatim)
Use after free in Chrome for iOS in Google Chrome on iOS prior to 149.0.7827.53 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-10952 is a use-after-free vulnerability (CWE-416) in Chrome for iOS that occurs when the browser fails to properly manage object lifecycle in memory. After an object is freed, the application continues to reference that memory location. An attacker can craft a malicious HTML page that triggers this condition, potentially writing to the freed memory region and corrupting the heap. The vulnerability requires user interaction—the victim must visit the attacker's page—but no other prerequisites are needed. The attack surface is remote and the impact severity is high, affecting confidentiality, integrity, and availability.
Business impact
Exploitation of this vulnerability could allow attackers to execute arbitrary code on compromised iPhones, leading to data theft, installation of malware, or unauthorized access to sensitive information stored on the device. For organizations managing mobile fleets with iOS devices, unpatched Chrome instances represent a direct path to compromise without requiring additional attack steps. Users who regularly use Chrome on iPhone are at elevated risk, particularly if they visit untrusted or compromised websites.
Affected systems
Google Chrome on iOS prior to version 149.0.7827.53 is affected. The vulnerability is specific to the iOS platform and does not affect Chrome on macOS, Windows, Linux, or Android. Any iPhone or iPad running an unpatched version of Chrome is vulnerable. The issue does not require specific hardware configurations or prior system compromise.
Exploitability
Exploitation is feasible with moderate effort. An attacker must craft a malicious HTML page and distribute it via a website, email link, or other web-accessible means. The attack requires user interaction—specifically, the victim must visit the malicious URL in Chrome on iOS—but no authentication, special privileges, or user-initiated downloads are needed. The network-accessible, low-complexity nature of the attack combined with the requirement for user interaction places this in a high but not critical exploitability category.
Remediation
Update Google Chrome on iOS to version 149.0.7827.53 or later. The update is available through the Apple App Store. For iOS device management, push updates through Mobile Device Management (MDM) solutions if available in your organization. Advise users to enable automatic app updates in the App Store settings to mitigate delays in patching.
Patch guidance
Navigate to the Apple App Store, search for Google Chrome, and verify the installed version is 149.0.7827.53 or newer. If an older version is installed, tap 'Update' to install the patched version. Users with automatic updates enabled should already have received the patch. Enterprise administrators should verify patch deployment through their MDM platform and confirm compliance across managed iOS devices. No known workarounds are available, so timely patching is essential.
Detection guidance
Monitor for Chrome crashes on iOS devices associated with memory corruption. In an enterprise setting, query MDM or mobile threat defense (MTD) tools for Chrome version inventory and flag devices running versions prior to 149.0.7827.53. Implement network-based detection by monitoring for unusual traffic patterns to known attacker infrastructure if you have visibility into user web browsing. Endpoint detection and response (EDR) solutions on iOS should flag unexpected process execution or memory access patterns following Chrome activity.
Why prioritize this
This vulnerability merits urgent attention due to its high CVSS score (8.8), remote exploitability without authentication, and the widespread use of Chrome on consumer and enterprise iOS devices. The use-after-free flaw is a well-understood memory safety issue with a long history of exploitability in real-world attacks. While the vulnerability currently shows no KEV status, the combination of ease of exploitation and high impact justifies prompt patching. Organizations with significant iOS user bases or sensitive workflows on mobile devices should prioritize this patch.
Risk score, explained
The CVSS 3.1 score of 8.8 (HIGH) reflects a network-accessible vulnerability with low attack complexity, no privilege requirements, and user interaction as the only prerequisite. The impact is severe across all three confidentiality, integrity, and availability dimensions, indicating potential for complete system compromise. The score does not account for threat intelligence or environmental factors, so organizations handling highly sensitive data or facing active targeting should consider this vulnerability more critical than the base score alone suggests.
Frequently asked questions
Does this vulnerability affect Chrome on other platforms like Windows or Android?
No. CVE-2026-10952 is specific to Chrome on iOS. Chrome on Windows, macOS, Linux, and Android are not affected by this particular use-after-free flaw. However, users should maintain patching discipline across all platforms as other vulnerabilities may affect them.
Can this vulnerability be exploited without the user clicking anything?
No. The attack requires user interaction—specifically, the victim must visit a malicious website in Chrome on iOS. Drive-by downloads or zero-click exploits are not possible with this vulnerability. This makes user education and awareness important supplementary controls.
What happens if my iPhone is compromised through this vulnerability?
If exploited, an attacker could execute arbitrary code on the device, potentially stealing data from apps, accessing camera and location services, exfiltrating photos and messages, or installing persistent malware. The extent of damage depends on what permissions Chrome and other apps have been granted.
Is there a way to temporarily disable Chrome on iOS until I can patch?
Yes. You can delete the Chrome app from your iPhone or offload it through Settings > General > iPhone Storage, then reinstall it after updating to version 149.0.7827.53 or later. Alternatively, disable Chrome and use Safari until you can verify the patch is installed. Enable automatic app updates to prevent future delays.
This analysis is provided for informational purposes and represents the professional assessment of SEC.co's security research team based on available vulnerability data as of the publication date. Patch version numbers and affected product versions are sourced from the official vulnerability record and should be verified against vendor security advisories before deployment. No exploit code or weaponized proof-of-concept details are provided. Organizations should conduct their own risk assessment based on their environment, user population, and threat landscape. SEC.co makes no warranties regarding the completeness or accuracy of this analysis and recommends consultation with qualified security professionals for implementation decisions. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10001HIGHChrome Sandbox Escape via PerformanceManager Use-After-Free
- CVE-2026-10002HIGHGoogle Chrome PDFium Use-After-Free Vulnerability (CVSS 8.8)
- CVE-2026-10003HIGHChrome Use-After-Free Code Execution Vulnerability Analysis
- CVE-2026-10005HIGHChrome macOS Use-After-Free RCE Vulnerability (7.5 CVSS)
- CVE-2026-10007HIGHChrome Use-After-Free in SVG Arbitrary Code Execution (CVSS 8.8)
- CVE-2026-10012HIGHChrome Skia Use-After-Free Sandbox Escape (v148.0.7778.216)
- CVE-2026-10013HIGHUse-After-Free in Chrome WebCodecs – Patch Guide & Risk Assessment
- CVE-2026-10016HIGHUse-After-Free in Chrome DOM – Sandbox Code Execution Vulnerability