CVE-2026-10934: Use after free in Autofill in Google Chrome on Android prior to 149
Use after free in Autofill in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
Metrics
- CVSS v3.1
- 8.3
- Severity
- HIGH
- Fixed in
- 149.0.7827.53
- Affected Products
- 1
HarborGuard Analysis
Synopsis
A use-after-free vulnerability exists in the Autofill component of Google Chrome on Android, affecting versions prior to 149.0.7827.53. The flaw is reachable over the network and requires no authentication, but the attacker must have already compromised the renderer process and must trick a victim into visiting a crafted HTML page. Successful exploitation allows a full sandbox escape, giving the attacker read, write, and crash capability outside the Chrome sandbox. A patched-image rebuild at version 149.0.7827.53 is available on HarborGuard for environments running an affected version.
HarborGuard Coverage
Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images in connected registries and CI/CD pipelines, including custom-built Android-targeted images that bundle a Chrome package below 149.0.7827.53.
AvailableHarborGuard scores this issue at CVSS 8.3 (HIGH) using the published v3.1 vector and can weight that score against each customer organization's compliance policy, routing actionable findings to the appropriate team inbox within the customer's configured workflow.
AvailableA patched-image rebuild pinned to Chrome 149.0.7827.53 is available on HarborGuard for any environment where the affected version is detected. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite against the new image, and opens a pull request against affected workloads automatically, with a median time from CVE publication to merged patch PR of around 90 minutes for high-severity issues.
AvailableExploit Conditions
- Network reachabilityRequired
The attacker delivers the crafted HTML page over the network, so the affected device must be reachable or the victim must browse to an attacker-controlled URL.
- AuthenticationNot required
No account or credential is needed; the attack is launched from an unauthenticated remote position via a malicious web page.
- Victim interactionRequired
The victim must open or be redirected to a crafted HTML page, making social engineering or a malicious link a prerequisite for exploitation.
- Attack complexityDetail
Attack complexity is rated High because the attacker must already have compromised the Chrome renderer process before the use-after-free can be leveraged for a sandbox escape.
Blast Radius
- Reads sensitive data held in memory outside the Chrome sandbox, including stored credentials, session tokens, and page contents from other origins.
- Writes to memory outside the sandbox, allowing the attacker to modify application state or inject code into the host process.
- Crashes or destabilizes the host application or underlying Android process if exploitation is unsuccessful or used deliberately for denial-of-service.
- Achieves code execution at a privilege level beyond the sandboxed renderer, potentially enabling further device compromise.
How HarborGuard Handles This
Available on HarborGuard: images containing Google Chrome for Android below version 149.0.7827.53 are flagged automatically upon CVE ingestion. Where compliance policy permits, a rebuilt image pinned to the fixed version 149.0.7827.53 is made available immediately. For customers with auto-remediation enabled, HarborGuard triggers a full rebuild, runs regression tests against the resulting image, and opens a pull request against each affected workload, targeting a median time to merged patch PR of around 90 minutes for high-severity findings. For environments where auto-remediation is not enabled, the CVE appears in the priority findings queue with severity, vector details, and the available fix version so security and platform teams can act directly. Given that exploitation requires a pre-compromised renderer plus victim interaction, network-policy controls that restrict browsing to untrusted origins on affected Android devices provide a meaningful compensating control until the patched image is deployed.
Fix available
- Google / Chrome< 149.0.7827.53 (from 149.0.7827.53)
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H