HIGH 8.8

CVE-2026-10958: Use-After-Free in Chrome for iOS Allows Remote Code Execution

A use-after-free vulnerability exists in Google Chrome for iOS that could allow an attacker to execute arbitrary code on a user's iPhone. The flaw requires tricking a user into performing specific gestures (such as taps or swipes) while viewing a malicious webpage. Once exploited, an attacker gains full control over the browser process, potentially compromising sensitive data, installing malware, or pivoting to other device functions. Google has addressed this issue in Chrome version 149.0.7827.53 and later.

Source data · NVD / CISA · public domain

CVSS
3.1 · 8.8 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-416
Affected products
2 configuration(s)
Published / Modified
2026-06-04 / 2026-06-17

NVD description (verbatim)

Use after free in Chrome for iOS in Google Chrome on iOS prior to 149.0.7827.53 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code via a crafted HTML page. (Chromium security severity: High)

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-10958 is a use-after-free vulnerability (CWE-416) in the Chrome rendering engine on iOS. The vulnerability occurs when Chrome fails to properly manage memory for certain UI objects, allowing an attacker to reference freed memory and execute arbitrary code with browser context privileges. The attack vector is network-based, requires no special privileges, and depends on user interaction—specifically, the victim must perform defined UI gestures on a page served by an attacker. The vulnerability affects the interaction between Safari WebKit integration and Chrome's custom UI handling on iOS, making it distinct from desktop Chrome variants.

Business impact

Successful exploitation could lead to credential theft, interception of sensitive communications, malware installation, or unauthorized access to user accounts. For organizations with BYOD policies or employees who use personal iPhones for work email and productivity, this vulnerability poses a direct risk to corporate data. The requirement for user interaction lowers the barrier to weaponization—a phishing campaign combining a crafted webpage link with social engineering is a realistic attack scenario. Threat actors have strong incentive to exploit this before widespread patching.

Affected systems

Google Chrome on iOS versions prior to 149.0.7827.53 are affected. This vulnerability is specific to iOS and does not affect Chrome on Android, macOS, Windows, or Linux. Any iPhone or iPad running an unpatched version of Chrome is at risk. The vulnerability does not affect Safari or other third-party browsers, only Chrome for iOS specifically.

Exploitability

Exploitability is moderate to high in practical scenarios. While the vulnerability requires user interaction (UI gestures), the barrier to triggering those gestures is low—a convincing phishing email or social media link can deliver the malicious HTML page. Once a user taps or swipes as expected during normal browsing, the exploit executes without additional warnings or confirmations. No authentication or privileged access is needed. The attack is triggered remotely via a crafted HTML page, making it suitable for mass-targeting campaigns. However, the specificity of required UI gestures and the need for user engagement prevent this from being effortlessly exploitable.

Remediation

Update Google Chrome on iOS to version 149.0.7827.53 or later immediately. Users can check their current version in Settings > Chrome > About Chrome, which will auto-update if a new version is available. Organizations should communicate this requirement to employees using iPhones, particularly those with work-related browsing. Consider implementing Mobile Device Management (MDM) policies to enforce automatic updates or restrict Chrome usage on unpatched devices. Until patching is complete, users should avoid clicking unfamiliar links in email or messaging apps, especially those requesting specific interactions.

Patch guidance

Google released security updates on 2026-06-04 to address this vulnerability. Verify that devices are running Chrome version 149.0.7827.53 or later by navigating to the About Chrome section; the app will automatically check for and apply updates when connected to Wi-Fi. Organizations managing fleets of iOS devices via MDM can deploy updates through their management console. If auto-update is disabled, users must manually update via the App Store. There is no workaround for unpatched versions other than avoiding untrusted webpages and disabling JavaScript (not practical for most users).

Detection guidance

Monitor Chrome crash logs and security alerts for evidence of use-after-free exploitation, which often manifests as unexpected process termination or memory corruption errors. If MDM is deployed, check for devices still running Chrome versions below 149.0.7827.53. Examine email gateway logs and web proxies for indicators of phishing campaigns delivering malicious HTML pages designed to trigger the vulnerability—look for suspicious link shorteners or obfuscated URLs targeting iOS users. Correlate crash reports with user reports of unexpected Chrome behavior. For incident response, preserve device logs if an employee reports a suspicious browsing event or unusual device behavior after visiting an unexpected link.

Why prioritize this

This vulnerability merits immediate prioritization due to its high CVSS score (8.8), network attack vector, and low complexity. The requirement for user interaction is the primary limiting factor, but this does not significantly reduce risk given the effectiveness of phishing and social engineering. The vulnerability is not yet in the CISA KEV catalog, but its severity, browser ubiquity, and iOS user base make it a target for early exploitation. Organizations should prioritize patching devices with Chrome before attackers develop reliable exploit tooling or integrate the vulnerability into exploit kits.

Risk score, explained

The CVSS 3.1 score of 8.8 (HIGH) reflects a network-accessible vulnerability requiring no privileges and low attack complexity, but necessitating user interaction. The impact is severe: confidentiality, integrity, and availability are all compromised once arbitrary code execution is achieved within the browser process. The iOS environment provides some sandboxing, limiting device-wide compromise, but the browser sandbox itself is fully defeated. The score appropriately weighs the practical requirement for social engineering against the severe consequences of successful exploitation.

Frequently asked questions

Do I need to update Chrome if I only use Safari on my iPhone?

No, Safari is not affected by this vulnerability. However, if you or your organization allows use of multiple browsers, any devices running Chrome should be updated to reduce overall risk exposure and simplify compliance reporting.

What happens if I update Chrome to 149.0.7827.53?

The update patches the memory management flaw, eliminating the use-after-free condition. Your browsing experience and performance should be unchanged. The update is tested by Google before release and carries no known adverse effects. Update immediately when available.

Can an attacker exploit this vulnerability without any user action?

No. The attacker must convince the user to perform specific UI gestures—such as tapping, swiping, or scrolling—on a malicious webpage. However, these gestures are normal browsing behavior, making social engineering effective. Attackers typically craft pages that appear legitimate or use phishing to deliver the malicious link.

If I visit a malicious webpage but don't perform the required gestures, am I safe?

Likely yes, but it depends on the exact nature of the required gestures. The vulnerability requires intentional user interaction, so passive viewing of a page without tapping or swiping should not trigger the exploit. However, treat all unexpected links with suspicion and avoid clicking links from untrusted sources.

This analysis is provided for informational purposes and reflects information available as of the publication date. Security vulnerabilities and their exploitability may evolve; consult official vendor advisories (Google Security Blog, Apple Security Updates) for authoritative guidance. This explainer does not constitute legal or compliance advice. Organizations should validate patch compatibility with their infrastructure and test in non-production environments before broad deployment. SEC.co makes no warranty regarding the completeness or accuracy of third-party vulnerability data and encourages independent verification of all security claims. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).