HIGH 7.8

CVE-2026-11072: Chrome Android WebView Use-After-Free Remote Code Execution

A use-after-free flaw in Chrome's WebView component on Android allows a local attacker to run malicious code if a user opens a specially crafted file. The attacker needs physical or local access to the device and requires user interaction (opening the file), but once triggered, can gain full control over the affected application's privileges and data.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.8 HIGH · CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-416
Affected products
2 configuration(s)
Published / Modified
2026-06-04 / 2026-06-17

NVD description (verbatim)

Use after free in WebView in Google Chrome on Android prior to 149.0.7827.53 allowed a local attacker to execute arbitrary code via a malicious file. (Chromium security severity: Medium)

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-11072 is a use-after-free vulnerability (CWE-416) in the WebView rendering engine within Google Chrome for Android versions prior to 149.0.7827.53. The flaw occurs when WebView attempts to access memory that has already been freed, typically through manipulation of a malicious file that triggers specific rendering or scripting operations. An attacker crafting such a file can cause a controlled heap memory corruption, leading to arbitrary code execution within the WebView process context. The Chromium security team classified this as Medium severity, though the CVSS 3.1 vector reflects the high impact potential: local attack surface, low attack complexity, no privilege requirements, and user interaction needed.

Business impact

Organizations deploying Chrome on managed Android devices face risk of data exfiltration and malware installation if users open untrusted files from email, messaging, or downloads. In enterprise environments, this could compromise sensitive communications, stored credentials, and access to internal resources accessed through the browser. The impact is scoped to the WebView process itself, not the entire OS, but can still facilitate lateral movement or credential theft depending on what data the application stores.

Affected systems

Google Chrome on Android versions prior to 149.0.7827.53 are affected. This includes all Android devices running vulnerable Chrome builds. Additionally, any third-party Android application that embeds the Android System WebView component may be vulnerable if it relies on the same underlying code. Verify your specific Chrome version under Settings > About Chrome on each Android device.

Exploitability

Exploitation requires local access to the device and user interaction (opening a malicious file), reducing the attack surface compared to network-based vulnerabilities. However, exploitability is not yet documented in CISA's Known Exploited Vulnerabilities (KEV) catalog, meaning active in-the-wild exploitation has not been publicly confirmed as of the last update. The vulnerability is not trivial to exploit reliably (use-after-free conditions are often timing-sensitive), but a motivated attacker with sample devices and debugging tools can likely develop a working proof-of-concept. Social engineering to trick users into opening files remains the primary attack vector.

Remediation

Immediately update Google Chrome on all Android devices to version 149.0.7827.53 or later. For enterprise-managed devices, enforce automatic updates or push the update through mobile device management (MDM) systems. Users should also review file-handling practices: disable automatic opening of downloads, educate users about untrusted files, and consider disabling WebView if specific applications do not require it. No workarounds exist short of avoiding untrusted files.

Patch guidance

Google released Chrome 149.0.7827.53 to address this vulnerability. Check your Android device: go to Settings > About Chrome and tap 'Update Chrome' if available. If using a managed device, consult your IT team for enterprise rollout timelines. If deploying via MDM, ensure your device management policy enforces minimum version 149.0.7827.53. On Android System WebView (for third-party apps), ensure it is updated to the latest version via the Google Play Store, as some apps depend on the shared WebView component.

Detection guidance

Monitor for crashes or unexpected behavior in Chrome or WebView-dependent applications on Android devices, especially correlating with file-opening events. Endpoint detection tools with Android visibility should alert on child process spawning from Chrome with unusual system calls or memory access patterns. Review device logs for 'WebView' or 'Chrome' crashes with memory corruption signatures. At the network level, monitor for anomalous outbound connections from Chrome processes that may indicate successful exploitation. Behavioral indicators include unexpected file-system access or credential usage after a file was opened.

Why prioritize this

This vulnerability merits high priority due to its CVSS score of 7.8, the ease with which Android users receive and open files, and the lack of complex prerequisites. Although it requires local access, many organizations have permissive BYOD policies or shared devices where local access is common. The combination of code execution capability and user-interaction dependency makes it attractive to targeted attackers. Prioritize devices used by high-value targets (executives, developers, HR staff) and shared devices. Push the update broadly to all Android devices within 2-4 weeks.

Risk score, explained

The CVSS 3.1 score of 7.8 (HIGH) reflects: (1) local attack vector (AV:L) limiting initial compromise surface, (2) low attack complexity (AC:L) meaning exploitation does not require special conditions beyond file delivery, (3) no privilege escalation requirement (PR:N) as the attacker operates with user-level rights, (4) user interaction required (UI:R), which is satisfied by normal file-opening behavior, and (5) full confidentiality, integrity, and availability impact (C:H/I:H/A:H) once code executes in the WebView process. The score is not 'Critical' because attack vector is local; it is 'High' because impact scope is not system-wide and exploitation requires user action, but these factors do not substantially reduce real-world risk for organizations with permissive mobile policies.

Frequently asked questions

Will updating Chrome break my apps or settings?

No. Chrome updates are designed to be backward-compatible. Your bookmarks, passwords, and settings sync to your Google account and will be preserved. Some older or poorly-maintained apps may have compatibility quirks, but this is rare. Test in a pilot group of devices first if you have concerns, then roll out broadly.

Do I need to update Android itself, or just Chrome?

Just Chrome. This vulnerability is in the Chrome app and its WebView component, not in Android OS itself. You do not need a full Android OS update. However, ensure your Android System WebView is also up-to-date, as third-party apps may depend on it.

What if a user has already opened a malicious file?

A single file open does not guarantee exploitation. The attacker would need to craft a very specific file tailored to trigger the use-after-free condition. However, if a user reports unusual app behavior, crashes, or unexpected network activity after opening an unknown file, isolate the device, back it up, and perform a factory reset if possible. Then update Chrome and monitor for anomalies.

Is this vulnerability currently being exploited in the wild?

As of the last update, this vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, meaning no confirmed active exploitation has been publicly disclosed. However, this does not mean exploitation is impossible—it may be used in targeted campaigns. Treat this as a high-priority update nonetheless.

This analysis is based on publicly available information and vendor advisories as of June 2026. CVSS scores, affected versions, and patch status are provided by official sources and should be verified against the latest vendor security bulletins. No active exploitation or proof-of-concept code is provided or endorsed. Recommendations reflect best practices for enterprise mobile security; your organization's risk tolerance and asset criticality should guide prioritization. Always test patches in non-production environments before broad deployment. Source: NVD (public-domain), retrieved 2026-07-12. Analysis generated by SEC.co (claude-haiku-4-5).