Description
Use after free in WebAppInstalls in Google Chrome on Android prior to 149.0.7827.53 allowed a local attacker to execute arbitrary code via a malicious file. (Chromium security severity: High)
Published: 2026-06-04
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A use‑after‑free flaw in the WebAppInstalls component of Google Chrome on Android allows a local attacker to trigger arbitrary code execution by supplying a crafted malicious file. The vulnerability is classified as CWE‑416 and was deemed high severity by Chromium security reviewers. The flaw can be exploited only when the attacker controls a malicious file that is processed by the browser, giving the attacker full code execution privileges on the device.

Affected Systems

Google Chrome operating on Android devices running versions earlier than 149.0.7827.53 is affected. This includes all builds of Chrome on Android that have not yet been updated to the patched release. No other vendors or product lines are listed as vulnerable.

Risk and Exploitability

The vulnerability has no publicly available exploit information and its EPSS score is not available, indicating that exploitation is currently unproven. However, the flaw is local and provides full code execution, which can lead to data theft, credential compromise, or device takeover when an attacker can supply the malicious file. The lack of a KEV listing suggests no widespread exploitation yet, but the high inherent risk and local nature warrant prompt mitigation.

Generated by OpenCVE AI on June 5, 2026 at 01:04 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Chrome to version 149.0.7827.53 or later.
  • If immediate update is not possible, disable WebAppInstalls functionality or block the installation of files that are not signed by trusted sources.
  • Ensure the device’s security policy restricts the installation of unknown or unverified applications to prevent delivery of malicious files.

Generated by OpenCVE AI on June 5, 2026 at 01:04 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 05 Jun 2026 03:15:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Fri, 05 Jun 2026 01:30:00 +0000

Type Values Removed Values Added
Title Use‑after‑free in Chrome Android WebAppInstalls Enables Local Code Execution

Thu, 04 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Use after free in WebAppInstalls in Google Chrome on Android prior to 149.0.7827.53 allowed a local attacker to execute arbitrary code via a malicious file. (Chromium security severity: High)
Weaknesses CWE-416
References

Subscriptions

Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-04T23:03:40.427Z

Reserved: 2026-06-04T17:06:07.283Z

Link: CVE-2026-10923

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-04T23:16:54.637

Modified: 2026-06-04T23:16:54.637

Link: CVE-2026-10923

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T03:00:06Z

Weaknesses