HIGH 8.8

CVE-2026-11080: Chrome Android WebView Use-After-Free Vulnerability (CVSS 8.8)

A use-after-free memory vulnerability exists in Google Chrome's WebView component on Android devices. An attacker can craft a malicious HTML page that, when visited by a user, triggers memory corruption in the browser's heap. This could allow the attacker to execute arbitrary code or crash the application. The vulnerability affects Chrome versions before 149.0.7827.53 on Android.

Source data · NVD / CISA · public domain

CVSS
3.1 · 8.8 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-416
Affected products
2 configuration(s)
Published / Modified
2026-06-04 / 2026-06-17

NVD description (verbatim)

Use after free in WebView in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium)

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-11080 is a use-after-free (CWE-416) vulnerability in WebView, a core component of Google Chrome on Android. The flaw occurs when WebView processes specially crafted HTML, causing it to reference memory that has already been freed. This heap corruption can be leveraged to overwrite critical data structures or inject executable code. The vulnerability requires user interaction (visiting a malicious page) but no authentication or special privileges. It carries a CVSS 3.1 score of 8.8 (High severity) with network-based attack vector and high impact across confidentiality, integrity, and availability.

Business impact

Organizations supporting Android devices in their environment face elevated risk of data breach or endpoint compromise if users visit attacker-controlled websites while running unpatched Chrome versions. Compromised devices could leak sensitive corporate data, facilitate lateral network movement, or serve as persistent attack footholds. The requirement for user interaction slightly reduces organizational risk compared to wormable vulnerabilities, but widespread Android adoption and browser usage make this a material threat to mobile-first organizations.

Affected systems

This vulnerability impacts Google Chrome on Android devices running versions prior to 149.0.7827.53. The WebView component is also used by other Android applications beyond Chrome, so third-party apps embedding WebView may be affected if they do not independently patch or depend on the system WebView. Organizations should inventory Chrome and other WebView-dependent applications across their Android device fleet.

Exploitability

While Chromium rates this as Medium severity, the CVSS score of 8.8 reflects realistic exploitability: the attack requires only a crafted web page and user navigation to it (no social engineering or authentication bypass needed). The network attack vector and low complexity mean an attacker can host the malicious page on any website or compromise a legitimate site. No known public exploits are tracked in the Cybersecurity and Infrastructure Security Agency's KEV catalog, but the straightforward nature of heap corruption exploitation suggests development of working exploits is feasible.

Remediation

Update Google Chrome on Android to version 149.0.7827.53 or later. Organizations should enforce Chrome updates through their mobile device management (MDM) platform if deployed. For third-party Android applications that embed WebView, verify that they receive updates from their respective vendors or rely on the system WebView component (which pulls security patches from Google Play System Update). Users without MDM control should manually update Chrome via the Google Play Store.

Patch guidance

Patches are available through the Google Play Store for Chrome on Android. MDM-managed environments should configure automatic or mandatory updates to version 149.0.7827.53 or later. Verify patch deployment by checking Chrome version under Settings > About Chrome, which will show the installed version number. Third-party applications using WebView should be assessed for their patch status independently, as they may have their own release cycles separate from Chrome's.

Detection guidance

Monitor for Chrome version compliance across Android devices using MDM solutions or device inventory tools. Log analysis on network appliances can identify suspicious browsing patterns or known malicious domains. Endpoint detection and response (EDR) tools on Android devices may flag heap corruption exploitation attempts, though detection post-compromise is less reliable than prevention. Encourage users to report unexpected browser crashes or performance degradation, which could indicate exploitation attempts.

Why prioritize this

Despite Chromium's Medium severity rating, this vulnerability warrants High prioritization due to its CVSS 8.8 score, network-based attack vector, low complexity, and the ubiquity of Chrome on Android. The requirement for user interaction is the primary mitigating factor, but the ease of delivering a crafted HTML page and high potential impact on confidentiality, integrity, and availability make rapid patching essential for organizations with significant Android user bases.

Risk score, explained

The CVSS 3.1 score of 8.8 reflects the severe impact potential: an attacker gains high-confidence code execution through heap corruption with no authentication or special access required. The network attack vector and low attack complexity indicate ease of exploitation. The only complexity moderator is user interaction (visiting a malicious page), which is relatively common and not a strong security boundary. Organizations should treat this as High risk and prioritize patching accordingly.

Frequently asked questions

Does this vulnerability affect Chrome on desktop or iOS?

CVE-2026-11080 is specific to Chrome on Android. While both desktop Chrome and iOS Safari/Chrome may contain similar use-after-free flaws, this CVE does not cover those platforms. Check for separate advisories if you support Windows, macOS, or iOS.

If our organization doesn't allow WebView-based apps, are we protected?

Partially. Disabling Chrome itself eliminates direct risk from this CVE. However, the WebView component on Android can be used by numerous apps (email, password managers, in-app browsers, etc.). You would need to audit all installed applications to confirm none use WebView, which is impractical for most organizations. Patching Chrome remains the most effective mitigation.

Is this vulnerability in CISA's Known Exploited Vulnerabilities list?

No. As of the vulnerability's publication date, it is not listed in CISA's KEV catalog. However, the absence of a KEV listing does not mean exploits do not exist or will not emerge. Treat this as an active threat that requires timely patching.

Can users be phished into visiting a malicious page that triggers this?

Yes. An attacker could send a link via email, SMS, chat, or social media directing users to a page hosting the exploit. Alternatively, attackers could compromise legitimate websites to inject malicious code. User awareness training to avoid suspicious links is a helpful secondary control, but patching is the primary defense.

This analysis is provided for informational purposes and does not constitute professional security advice. Verify all patch version numbers and affected product lists against official Google security advisories before deployment. Organizations should conduct their own risk assessment based on their specific environment, device inventory, and business requirements. No liability is assumed for decisions made based on this intelligence. Source: NVD (public-domain), retrieved 2026-07-12. Analysis generated by SEC.co (claude-haiku-4-5).