Description
Use after free in WebAppInstalls in Google Chrome on Android prior to 149.0.7827.53 allowed a local attacker to execute arbitrary code via a malicious file. (Chromium security severity: High)
Published: 2026-06-04
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A use‑after‑free flaw in the WebAppInstalls component of Google Chrome on Android allows a local attacker to trigger arbitrary code execution by supplying a crafted malicious file. The vulnerability is classified as CWE‑416 and CWE‑825, and was deemed high severity by Chromium security reviewers. The flaw can be exploited only when the attacker controls a malicious file that is processed by the browser, giving the attacker full code execution privileges on the device.

Affected Systems

Google Chrome operating on Android devices running versions earlier than 149.0.7827.53 is affected. This includes all builds of Chrome on Android that have not yet been updated to the patched release. No other vendors or product lines are listed as vulnerable.

Risk and Exploitability

The vulnerability has no publicly available exploit information and its EPSS score is below 1%, indicating that exploitation is currently unproven. Its CVSS score of 8.8 marks it as high severity. However, the flaw is local and provides full code execution, which can lead to data theft, credential compromise, or device takeover when an attacker can supply the malicious file. The lack of a KEV listing suggests no widespread exploitation yet, but the high inherent risk and local nature warrant prompt mitigation.

Generated by OpenCVE AI on June 7, 2026 at 13:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Chrome to version 149.0.7827.53 or later.
  • Ensure the device’s security policy restricts the installation of unknown or unverified applications to prevent delivery of malicious files.
  • Clean local storage of any malicious files and verify that no suspicious files remain that could be processed by the browser.

Generated by OpenCVE AI on June 7, 2026 at 13:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6325-1 chromium security update
History

Sun, 07 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Title chromium-browser: Use after free in WebAppInstalls
Weaknesses CWE-825
References
Metrics threat_severity

None

 threat_severity

Important

Sat, 06 Jun 2026 01:45:00 +0000

Type Values Removed Values Added
First Time appeared Google android
CPEs cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
cpe:2.3:o:google:android:-:*:*:*:*:*:*:*
Vendors & Products Google android

Fri, 05 Jun 2026 22:45:00 +0000

Type Values Removed Values Added
Title Use‑after‑free in Chrome Android WebAppInstalls Enables Local Code Execution

Fri, 05 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 05 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Fri, 05 Jun 2026 03:15:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Fri, 05 Jun 2026 01:30:00 +0000

Type Values Removed Values Added
Title Use‑after‑free in Chrome Android WebAppInstalls Enables Local Code Execution

Thu, 04 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Use after free in WebAppInstalls in Google Chrome on Android prior to 149.0.7827.53 allowed a local attacker to execute arbitrary code via a malicious file. (Chromium security severity: High)
Weaknesses CWE-416
References

Subscriptions

Google Android Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-05T19:34:52.153Z

Reserved: 2026-06-04T17:06:07.283Z

Link: CVE-2026-10923

cve-icon Vulnrichment

Updated: 2026-06-05T19:34:46.395Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-04T23:16:54.637

Modified: 2026-06-06T01:43:03.350

Link: CVE-2026-10923

cve-icon Redhat

Severity : Important

Publid Date: 2026-06-02T00:00:00Z

Links: CVE-2026-10923 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-07T13:45:07Z

Weaknesses