HIGH 8.8

CVE-2026-10959: Use-After-Free in Google Chrome on Android – Patch Now

Google Chrome on Android contains a use-after-free vulnerability in its Input component that could allow an attacker to execute arbitrary code within the browser's sandbox by tricking a user into visiting a malicious website. The vulnerability affects Chrome versions prior to 149.0.7827.53 and requires user interaction (clicking a link or visiting a crafted page) to trigger.

Source data · NVD / CISA · public domain

CVSS
3.1 · 8.8 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-416
Affected products
2 configuration(s)
Published / Modified
2026-06-04 / 2026-06-17

NVD description (verbatim)

Use after free in Input in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-10959 is a use-after-free memory corruption bug (CWE-416) in Chrome's Input subsystem on Android. When processing specially crafted HTML, the browser may reference memory that has already been freed, leading to uncontrolled code execution. Although the attack runs within the Chrome sandbox, successful exploitation could allow an attacker to bypass normal browser security boundaries and access sensitive data or escalate privileges on the device.

Business impact

A successful attack could expose sensitive user data cached by Chrome, including browsing history, stored passwords, and authentication tokens. For enterprise users, this threatens credentials used to access corporate systems and cloud services. The requirement for user interaction (visiting a malicious site) makes social engineering and phishing attacks the primary delivery vectors.

Affected systems

Google Chrome for Android versions prior to 149.0.7827.53 are vulnerable. Desktop and iOS versions of Chrome are not affected by this specific vulnerability. The underlying Android OS does not introduce the vulnerability; rather, the flaw resides in Chrome's Input processing logic on that platform.

Exploitability

The vulnerability requires minimal attacker sophistication—hosting a malicious HTML page and luring users to it is sufficient. No special network conditions or authentication are needed. However, successful exploitation depends on user interaction and may be partially mitigated by Chrome's sandbox architecture, which limits the scope of code execution. This is not currently listed on CISA's Known Exploited Vulnerabilities (KEV) catalog, suggesting active exploitation in the wild is not yet documented.

Remediation

Update Chrome on Android to version 149.0.7827.53 or later immediately. Users should enable automatic updates if not already configured. For organizations managing Android devices, verify that Mobile Device Management (MDM) solutions are pushing the latest Chrome version to enrolled devices.

Patch guidance

Chrome on Android typically updates automatically via the Google Play Store. Verify the update by opening Chrome, navigating to Settings > About Chrome, and confirming the version number is 149.0.7827.53 or higher. If automatic updates are disabled, manually trigger an update via the Play Store. For MDM-managed devices, confirm that patch deployment policies include Chrome browser components, not just OS-level updates.

Detection guidance

Monitor Chrome crash reports and user-reported browser instability on Android devices. Examine network logs for traffic to known malicious domains or suspicious HTML content. Endpoint Detection and Response (EDR) tools on Android may flag abnormal Chrome process behavior, though sandbox constraints limit detection opportunities. Consider surveying users about recent suspicious websites visited.

Why prioritize this

This vulnerability merits immediate attention due to its high CVSS score (8.8), broad attack surface (any webpage visit), and potential for credential theft targeting enterprise users. Although not yet documented in active exploitation, the low barrier to weaponization and reliance on basic user interaction make it a credible near-term threat.

Risk score, explained

The CVSS:3.1 score of 8.8 (HIGH) reflects network-based attack surface (AV:N), low attack complexity (AC:L), no privilege requirements (PR:N), and user interaction as the sole friction (UI:R). The impact is severe across confidentiality, integrity, and availability (C:H/I:H/A:H), though sandbox restrictions prevent full system compromise (S:U).

Frequently asked questions

Will my Android device be compromised if I update Chrome to 149.0.7827.53?

No. The update patches the vulnerability and removes the attack vector. Delaying the update poses greater risk than applying it.

Does this affect Chrome on my desktop or iPhone?

No. This vulnerability is specific to Chrome on Android. Desktop Chrome and Chrome on iOS have different codebases and are not affected by CVE-2026-10959.

What should I do if I clicked on a suspicious link before updating?

Update Chrome immediately to patch the vulnerability. If you suspect compromise, consider changing passwords for sensitive accounts (email, banking, corporate systems) from a different device and monitor those accounts for unauthorized activity.

Is there a workaround if I can't update right away?

The most practical interim measure is to avoid visiting untrusted websites and refrain from clicking suspicious links or ads. However, a timely update is the only reliable mitigation.

This analysis is provided for informational purposes to support vulnerability management and risk assessment. Patch version numbers and technical details are based on the CVE record as of the publication date. Organizations should verify compatibility and test patches in non-production environments before broad deployment. This advisory does not constitute legal, security, or professional advice. Consult vendor documentation and conduct independent security reviews as appropriate for your environment. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).