Description
Use after free in Chrome for iOS in Google Chrome on iOS prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: Critical)
Published: 2026-06-04
Score: 8.8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A use-after-free flaw in Chrome for iOS before version 149.0.7827.53 allows an attacker to execute arbitrary code on a victim’s device by delivering a specially crafted HTML page. The flaw arises when the browser accesses freed memory after the page’s resources have been released, leading to memory corruption that an attacker can exploit to run malicious code. This is a critical vulnerability, classified as such by Chromium’s security severity ratings.

Affected Systems

Affected vendor: Google; product: Google Chrome for iOS. The vulnerability applies to any install of Chrome for iOS that is older than version 149.0.7827.53, including all releases earlier in the 149.0.x branch.

Risk and Exploitability

The vulnerability’s CVSS score is not publicly available, but it is marked as critical by Chromium, indicating a high severity. No EPSS data was provided, and the issue is not listed in the CISA KEV catalog. Attackers can exploit the flaw remotely by merely hosting a malicious HTML page that the victim’s browser will load. Once executed, the attacker can run arbitrary code with the privileges of the browser process, potentially compromising the entire device.

Generated by OpenCVE AI on June 5, 2026 at 03:16 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Chrome to version 149.0.7827.53 or later from the iOS App Store.
  • Temporarily disable JavaScript execution for untrusted websites in Chrome settings until a patch is released.
  • Uninstall or close the old Chrome app if updates are delayed to prevent exposure.

Generated by OpenCVE AI on June 5, 2026 at 03:16 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 05 Jun 2026 03:45:00 +0000

Type Values Removed Values Added
Title Use After Free in iOS Chrome Enables Remote Code Execution via Crafted HTML

Fri, 05 Jun 2026 03:15:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Fri, 05 Jun 2026 01:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 04 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Use after free in Chrome for iOS in Google Chrome on iOS prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: Critical)
Weaknesses CWE-416
References

Subscriptions

Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-05T00:33:55.822Z

Reserved: 2026-06-04T17:05:58.392Z

Link: CVE-2026-10896

cve-icon Vulnrichment

Updated: 2026-06-05T00:26:45.959Z

cve-icon NVD

Status : Received

Published: 2026-06-04T23:16:51.230

Modified: 2026-06-05T02:16:52.510

Link: CVE-2026-10896

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T03:30:30Z

Weaknesses