CVE-2026-11188: Chrome Android USB Use-After-Free Sandbox Escape Vulnerability
A use-after-free vulnerability in Chrome's USB handling on Android devices allows an attacker to escape the browser's security sandbox by tricking a user into visiting a specially crafted webpage. Once the sandbox is bypassed, the attacker could gain elevated privileges on the device. The vulnerability affects Chrome versions prior to 149.0.7827.53 on Android.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.8 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-416
- Affected products
- 2 configuration(s)
- Published / Modified
- 2026-06-04 / 2026-06-17
NVD description (verbatim)
Use after free in USB in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium)
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-11188 is a use-after-free condition (CWE-416) in the USB subsystem of Google Chrome on Android. The flaw allows a remote, unauthenticated attacker to craft malicious HTML that triggers memory corruption in the USB driver code path. When a user visits the malicious page, freed memory is accessed, corrupting process state and enabling sandbox escape. The Chromium security team rates this as Medium severity, though the CVSS 3.1 score of 8.8 reflects the high impact of successful exploitation.
Business impact
Successful exploitation leads to complete compromise of the Chrome process and potential device-level access on Android. An attacker could steal sensitive data stored in or accessible through Chrome, modify user credentials, install persistent malware, or pivot to other applications and services on the device. For organizations with Android-heavy workforces or BYOD policies, this poses a material risk to corporate data and endpoint integrity.
Affected systems
Google Chrome on Android versions prior to 149.0.7827.53. The vulnerability is specific to the Android implementation of Chrome's USB stack and does not affect Chrome on other platforms (Windows, macOS, Linux, iOS). Severity correlates with the prevalence of Chrome on Android devices in your environment.
Exploitability
Exploitation requires user interaction—the victim must visit a malicious webpage. However, the barrier to delivery is low; the attacker needs only network access to serve the HTML, with no special privileges or complex attack infrastructure. Once the user visits the page, exploitation is reliable if the vulnerable Chrome version is running. Active exploitation in the wild is not currently documented in CISA's Known Exploited Vulnerabilities catalog.
Remediation
Update Google Chrome on Android to version 149.0.7827.53 or later. This release addresses the use-after-free condition. Users should enable automatic updates in Chrome's settings to ensure timely patching. For organizations managing Android devices, enforce Chrome version requirements through mobile device management (MDM) policies.
Patch guidance
Google released the fix in Chrome 149.0.7827.53 for Android. Verify this version number against Google's official security advisory before deployment. Users can check their installed version in Chrome Settings > About Chrome, which will also trigger an automatic update check. MDM administrators should target this minimum version in device compliance policies and validate rollout across the fleet within 30 days of patch availability.
Detection guidance
Monitor Chrome crash logs and memory violation alerts for USB-related faults on Android devices. Look for anomalous process terminations following user browsing activity. Endpoint detection and response (EDR) tools with Android capability should flag use-after-free memory patterns in Chrome processes. Web gateway logs can identify users visiting known malicious HTML pages; coordinate with threat intelligence feeds for indicators of compromise.
Why prioritize this
Although not yet in CISA's KEV catalog, the combination of sandbox escape capability, low exploitation barrier (user click required), and high confidentiality and integrity impact warrants rapid patching. Android devices are prevalent in modern workforces, and compromised browsers often serve as a foothold for lateral movement. Organizations should prioritize this alongside critical OS-level Android vulnerabilities.
Risk score, explained
The CVSS 3.1 score of 8.8 (HIGH) reflects a network-accessible vulnerability requiring only user interaction, with no authentication needed, and high impact across confidentiality, integrity, and availability. The sandbox escape elevates practical risk beyond typical web vulnerability constraints. Contextually, absence from the KEV catalog suggests limited public exploitation, but the technical severity remains substantial.
Frequently asked questions
Can this vulnerability be exploited without user action?
No. The attack requires a user to visit a malicious webpage in Chrome. However, such pages can be distributed via phishing, compromised legitimate sites, or watering-hole attacks, making user interaction achievable in real-world scenarios.
Does this affect Chrome on iOS or other platforms?
No. The vulnerability is specific to Chrome's USB implementation on Android. Other platforms use different USB handling mechanisms and are not affected by this particular flaw.
What should organizations do if they cannot immediately patch all Android devices?
Restrict Chrome usage on high-risk devices to known-safe internal sites; disable USB-related features if possible; monitor for suspicious activity; and communicate the patch timeline to users so they understand the interim risk profile.
Is this vulnerability related to any Android OS vulnerability?
This is a Chrome-specific vulnerability. Patching Chrome independently of Android OS updates will address the risk. However, keep Android OS patches current as well for defense-in-depth.
This analysis is provided for informational purposes. Verify all patch version numbers and update timelines against Google's official security advisories before deployment. Organizations should conduct internal risk assessments based on their specific Chrome and Android device footprint. SEC.co does not provide legal, compliance, or warranty advice. Always test patches in a controlled environment before broad rollout. Source: NVD (public-domain), retrieved 2026-07-13. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10000HIGHChrome Sandbox Escape via Use-After-Free in Password Handling
- CVE-2026-10001HIGHChrome Sandbox Escape via PerformanceManager Use-After-Free
- CVE-2026-10002HIGHGoogle Chrome PDFium Use-After-Free Vulnerability (CVSS 8.8)
- CVE-2026-10003HIGHChrome Use-After-Free Code Execution Vulnerability Analysis
- CVE-2026-10005HIGHChrome macOS Use-After-Free RCE Vulnerability (7.5 CVSS)
- CVE-2026-10007HIGHChrome Use-After-Free in SVG Arbitrary Code Execution (CVSS 8.8)
- CVE-2026-10012HIGHChrome Skia Use-After-Free Sandbox Escape (v148.0.7778.216)
- CVE-2026-10013HIGHUse-After-Free in Chrome WebCodecs – Patch Guide & Risk Assessment