CVE-2026-10896: Use after free in Chrome for iOS in Google Chrome on iOS prior to 149
Use after free in Chrome for iOS in Google Chrome on iOS prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: Critical)
Metrics
- CVSS v3.1
- 8.8
- Severity
- HIGH
- Fixed in
- 149.0.7827.53
- Affected Products
- 1
HarborGuard Analysis
Synopsis
A use-after-free vulnerability in Google Chrome for iOS allows a remote attacker to execute arbitrary code by luring a user to a crafted HTML page. The flaw is reachable over the network with no authentication required, but does require the victim to visit a malicious or attacker-controlled webpage. Successful exploitation gives the attacker full code execution within the browser process. A patched-image rebuild at version 149.0.7827.53 is available on HarborGuard for environments running an affected version.
HarborGuard Coverage
Detection capability for CVE-2026-10896 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream feeds, including custom-built images that bundle a Chrome for iOS component. Any image layer containing a Chrome for iOS binary below 149.0.7827.53 is flagged automatically.
AvailableHarborGuard scores this CVE at CVSS 8.8 (HIGH) and surfaces it with the corresponding severity weighting applied against each customer's compliance policy. Findings are routed to the appropriate team inbox within each customer organization based on image ownership and policy configuration.
AvailableA patched-image rebuild at Chrome for iOS version 149.0.7827.53 becomes available through HarborGuard once the upstream fix is confirmed. For customers with auto-remediation enabled, HarborGuard triggers a rebuild, runs a regression test pass, and opens a PR against affected workloads automatically.
AvailableExploit Conditions
- Network reachabilityRequired
The attacker delivers the exploit over the network; the target device must be able to reach an attacker-controlled or compromised webpage.
- AuthenticationNot required
No account or credential of any kind is needed; any anonymous visitor to a malicious page is a viable target.
- Victim interactionRequired
The victim must navigate to or be redirected to a crafted HTML page, making this a social-engineering or drive-by-navigation scenario.
- Attack complexityDetail
The exploit is reliable and imposes no special environmental conditions or race-window requirements on the attacker.
Blast Radius
- Attacker achieves arbitrary code execution inside the Chrome browser process on the victim's iOS device.
- Confidential data accessible to the browser, including stored credentials, session tokens, and browsing history, is exposed.
- Attacker can write or modify data within the browser's sandbox, including cached content and locally stored site data.
- The browser process can be crashed or rendered unresponsive, disrupting the user's session and any active web-based workflows.
How HarborGuard Handles This
Available on HarborGuard: images containing Google Chrome for iOS below 149.0.7827.53 are flagged at scan time, with the CVSS 8.8 HIGH score and compliance-policy weighting applied to prioritize routing. Where auto-remediation is enabled, HarborGuard initiates a rebuilt image at the fixed version, runs a regression test suite, and opens a PR against affected workloads; for HIGH-severity issues, median time from CVE publication to a merged patch PR is around 90 minutes in environments with auto-remediation enabled. For customers who manage remediation manually, HarborGuard surfaces the finding with pinned fix-version metadata so engineering teams can target the 149.0.7827.53 upgrade directly.
Fix available
- Google / Chrome< 149.0.7827.53 (from 149.0.7827.53)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H