CVE-2026-9956: Chrome iOS Use-After-Free Remote Code Execution Vulnerability
A use-after-free vulnerability in Google Chrome on iOS allows remote attackers to execute arbitrary code if a user can be tricked into performing specific gestures on a malicious webpage. The vulnerability requires user interaction but doesn't require special privileges or system access, making it a realistic attack vector for threat actors hosting compromised or attacker-controlled sites.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.5 HIGH · CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-416
- Affected products
- 2 configuration(s)
- Published / Modified
- 2026-05-28 / 2026-06-17
NVD description (verbatim)
Use after free in iOS in Google Chrome on iOS prior to 148.0.7778.216 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code via a crafted HTML page. (Chromium security severity: High)
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
This vulnerability stems from a use-after-free condition (CWE-416) in Chrome's iOS implementation, where memory is accessed after it has been freed. The flaw is triggered through crafted HTML served over the network. The attack requires the user to perform specific UI gestures, which the attacker must socially engineer or induce through deceptive page design. Once triggered, the freed memory can be controlled to execute arbitrary code with the privileges of the Chrome process.
Business impact
Successful exploitation could allow attackers to compromise user data, install malware, or escalate to further system compromise on iOS devices. Given Chrome's extensive use on iPhones for browsing, phishing attacks that combine social engineering with malicious landing pages pose a meaningful risk to enterprise users and customers who rely on mobile browsing for business tasks.
Affected systems
Google Chrome on iOS versions prior to 148.0.7778.216 are vulnerable. The vulnerability also involves Apple iPhone OS as the underlying platform. Organizations with iOS-using employees or customers should treat Chrome browser security as part of their mobile security posture.
Exploitability
Exploitation is feasible but not trivial. An attacker must host a crafted HTML page and convince or trick users into visiting it and performing specific UI interactions. This is more complex than pure drive-by exploitation but remains credible via phishing, malicious advertising, or social engineering. The requirement for user gesture interaction reduces (but does not eliminate) the risk of mass exploitation.
Remediation
Update Google Chrome on iOS to version 148.0.7778.216 or later. Users should enable automatic updates for Chrome and verify their current version via Settings > Google Chrome > About. Organizations should communicate update guidance to iOS users and consider mobile device management (MDM) policies that enforce Chrome version requirements or restrict older versions.
Patch guidance
Verify current Chrome version on iOS devices by navigating to Chrome Settings > About Google Chrome. The app will display the installed version and automatically check for updates. Force an update check if needed. For enterprise deployments, use MDM solutions to push Chrome updates or create compliance policies requiring minimum version 148.0.7778.216. Test updates on non-production devices first if your environment is highly controlled.
Detection guidance
Detection is challenging at the endpoint level since the exploit is memory-based and leaves minimal forensic artifacts. Monitor for: (1) unexpected Chrome crashes on iOS, particularly correlated with specific websites; (2) unusual outbound connections from Chrome processes; (3) sudden app restarts or device reboots after specific user actions. At the network level, watch for suspicious HTML served from known malicious or recently compromised domains. Correlate with threat intelligence feeds tracking use-after-free exploits in Chrome.
Why prioritize this
This vulnerability merits prompt patching due to the combination of remote attack vector, user interaction requirement that is socially feasible, and high-impact consequences (arbitrary code execution). While not yet in active exploitation tracking (KEV status is false), the low barrier to weaponization and the prevalence of Chrome on iOS make it a meaningful risk. Prioritize organizations with BYOD policies or customer-facing mobile apps built on iOS.
Risk score, explained
The CVSS 3.1 score of 7.5 (HIGH) reflects a remote attack vector with high complexity (due to required UI gestures), requiring user interaction, and no privileges needed. The impact is severe: confidentiality, integrity, and availability are all fully compromised if exploitation succeeds. The high complexity score moderately reduces the base score, but the attack remains credible and impactful enough to warrant prioritization above lower-severity vulnerabilities.
Frequently asked questions
Do I need to update if I only use Chrome on iOS for casual browsing?
Yes. Even casual browsing can expose you to risk if you visit a compromised site or click a malicious link. The attacker doesn't need you to download anything—just to interact with a webpage in a specific way. Automatic updates are your best defense, so enable them in Chrome Settings.
Can this be exploited without user interaction?
No. The vulnerability specifically requires the user to perform certain UI gestures. This makes mass drive-by attacks harder but doesn't eliminate the risk, especially if an attacker uses social engineering or crafted deceptive page content to guide users toward the required interaction.
What should enterprise IT teams do?
Inventory Chrome usage on iOS devices, verify current versions, and enforce update policies via MDM. Communicate the risk to users, emphasizing not to ignore Chrome update prompts. Monitor for any unusual app crashes or device behavior. Consider supplementary mobile threat defense tools if available.
Is this vulnerability being actively exploited in the wild?
As of the information provided, this vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) list, meaning no active, widespread exploitation has been confirmed at this time. However, that status can change quickly, so prompt patching remains important.
This analysis is based on publicly available vulnerability data as of the publication date. Patch versions, vendor timelines, and exploitation status are subject to change. Organizations should verify patch availability and compatibility with their specific environments before deployment. This content is for informational purposes and should not substitute for professional security assessment or vendor guidance. No exploit code or weaponized proof-of-concept information is provided herein. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10001HIGHChrome Sandbox Escape via PerformanceManager Use-After-Free
- CVE-2026-10002HIGHGoogle Chrome PDFium Use-After-Free Vulnerability (CVSS 8.8)
- CVE-2026-10003HIGHChrome Use-After-Free Code Execution Vulnerability Analysis
- CVE-2026-10005HIGHChrome macOS Use-After-Free RCE Vulnerability (7.5 CVSS)
- CVE-2026-10007HIGHChrome Use-After-Free in SVG Arbitrary Code Execution (CVSS 8.8)
- CVE-2026-10012HIGHChrome Skia Use-After-Free Sandbox Escape (v148.0.7778.216)
- CVE-2026-10013HIGHUse-After-Free in Chrome WebCodecs – Patch Guide & Risk Assessment
- CVE-2026-10016HIGHUse-After-Free in Chrome DOM – Sandbox Code Execution Vulnerability