How is CVE-2026-10923 exploited?

Network reachability (required): The attacker delivers the malicious file over the network, so the targeted device must be reachable or the user must be able to reach attacker-controlled content across the network. Authentication (not-required): No account or credential is needed; the attacker does not need to authenticate to any service to deliver the exploit. Victim interaction (required): A user must open or interact with a malicious file, making this a social-engineering vector where the attacker must convince the victim to take an action. Attack complexity (info): Attack complexity is Low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other variable environmental factors.

What is the impact of CVE-2026-10923?

Executes arbitrary attacker-controlled code in the context of the Chrome process on the affected Android device. Reads sensitive data accessible to the Chrome process, including stored credentials, session tokens, and browsing data. Modifies or deletes data accessible to the Chrome process, including locally cached files and app storage. Crashes or destabilizes the Chrome process, disrupting the user's browsing session and any web app functionality running within it.

Back to search

HIGHCVE-2026-10923Published 2026-06-04Modified 2026-06-05CNA Chrome

CVE-2026-10923: Use after free in WebAppInstalls in Google Chrome on Android prior to 149

Use after free in WebAppInstalls in Google Chrome on Android prior to 149.0.7827.53 allowed a local attacker to execute arbitrary code via a malicious file. (Chromium security severity: High)

CVSS v3.1: 8.8
Severity: HIGH
Fixed in: 149.0.7827.53
Affected Products: 1

HarborGuard Analysis

Synopsis

A use-after-free vulnerability affects Google Chrome on Android versions prior to 149.0.7827.53 in the WebAppInstalls component. The flaw is reachable over the network but requires a user to interact with a malicious file, and no authentication is needed to trigger it. Successful exploitation gives an attacker arbitrary code execution on the affected device. A patched-image rebuild at version 149.0.7827.53 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-10923 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream feeds, including custom-built images that bundle Chrome on Android. Coverage applies to both registry-resident images and images caught in CI/CD pipeline scans.

Available

Triage

HarborGuard scores this CVE at CVSS 8.8 (High) and weights it against each environment's compliance policy to determine urgency and routing. Triage results are dispatched to the appropriate team inbox within each customer organization based on configured ownership rules.

Available

Patch

A patched-image rebuild at Chrome 149.0.7827.53 becomes available through HarborGuard for any image found to include an affected version. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test pass, and opens a PR against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The attacker delivers the malicious file over the network, so the targeted device must be reachable or the user must be able to reach attacker-controlled content across the network.
AuthenticationNot required
No account or credential is needed; the attacker does not need to authenticate to any service to deliver the exploit.
Victim interactionRequired
A user must open or interact with a malicious file, making this a social-engineering vector where the attacker must convince the victim to take an action.
Attack complexityDetail
Attack complexity is Low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other variable environmental factors.

Blast Radius

Executes arbitrary attacker-controlled code in the context of the Chrome process on the affected Android device.
Reads sensitive data accessible to the Chrome process, including stored credentials, session tokens, and browsing data.
Modifies or deletes data accessible to the Chrome process, including locally cached files and app storage.
Crashes or destabilizes the Chrome process, disrupting the user's browsing session and any web app functionality running within it.

How HarborGuard Handles This

Available on HarborGuard: any container image that packages Google Chrome for Android is scanned against CVE-2026-10923 within minutes of the advisory entering upstream feeds. Where an affected version is detected, a rebuilt image pinned to 149.0.7827.53 is made available. For customers who opt into auto-remediation, HarborGuard triggers the rebuild, executes a regression test run, and opens a PR against the affected workload automatically; for High-severity issues, the median time from CVE publication to a merged patch PR is around 90 minutes in environments with auto-remediation enabled. Where compliance policy does not permit auto-remediation, the finding is surfaced in the HarborGuard dashboard with fix-version detail so engineers can act manually. Given the arbitrary code execution impact, teams running Chrome-based container workloads on Android targets should treat this as a high-priority update.

See how HarborGuard automates this

Fix available

149.0.7827.53

Affected packages

Google / Chrome
< 149.0.7827.53 (from 149.0.7827.53)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available