Description
Use after free in Autofill in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium)
Published: 2026-06-04
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Google Chrome on Android contains a use-after-free flaw in its Autofill component. The vulnerability allows a malicious renderer process, which the attacker has already compromised, to cause a sandbox escape when a specially crafted HTML document is loaded. The flaw falls under CWE‑416 and can enable the attacker to elevate privileges or execute code outside the browser sandbox, thereby threatening confidentiality, integrity, and availability of the device.

Affected Systems

The issue affects any Android version of Google Chrome prior to build 149.0.7827.53. Systems running earlier releases lack the protection that the patched code provides.

Risk and Exploitability

No EPSS score is available, and the vulnerability is not listed in CISA KEV. The referenced Chromium severity is Medium, suggesting moderate likelihood of exploitation in practice. Exploitation requires an attacker to have already injected malicious code into the renderer process and to serve a page that exploits the dangling pointer. While not trivial, the combination of a prior compromise and crafted content could lead to sandbox escape.

Generated by OpenCVE AI on June 5, 2026 at 05:03 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Google Chrome for Android to version 149.0.7827.53 or later.
  • Ensure Chrome is kept up‑to‑date via automatic system updates to receive future patches.
  • If a prompt update is not possible, disable the Autofill feature in Chrome’s settings to remove the vulnerable code path until the official patch is applied.

Generated by OpenCVE AI on June 5, 2026 at 05:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 05 Jun 2026 05:30:00 +0000

Type Values Removed Values Added
Title Use-After-Free in Chrome Autofill Potentially Enables Sandbox Escape
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Thu, 04 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Use after free in Autofill in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium)
Weaknesses CWE-416
References

Subscriptions

Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-04T23:05:12.524Z

Reserved: 2026-06-04T17:06:57.174Z

Link: CVE-2026-11131

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-04T23:17:19.197

Modified: 2026-06-04T23:17:19.197

Link: CVE-2026-11131

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T05:15:25Z

Weaknesses