CVE-2026-10952: Use after free in Chrome for iOS in Google Chrome on iOS prior to 149
Use after free in Chrome for iOS in Google Chrome on iOS prior to 149.0.7827.53 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
Metrics
- CVSS v3.1
- 8.8
- Severity
- HIGH
- Fixed in
- 149.0.7827.53
- Affected Products
- 1
HarborGuard Analysis
Synopsis
A use-after-free vulnerability affects Google Chrome for iOS in versions prior to 149.0.7827.53. The flaw is reachable over the network without any authentication, but requires a user to visit a crafted HTML page. Successful exploitation gives the attacker full read, write, and crash capability over the renderer process through heap corruption, enabling data theft, content tampering, or application crash. A patched-image rebuild at version 149.0.7827.53 is available on HarborGuard for affected environments.
HarborGuard Coverage
Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images in registries and CI/CD pipelines, including custom-built images that bundle Chrome for iOS or its components.
AvailableHarborGuard scores this CVE at 8.8 HIGH using the CVSS v3.1 vector and weights it against each customer environment's compliance policy, routing findings to the appropriate team inbox within each organization.
AvailableA patched-image rebuild at version 149.0.7827.53 becomes available on HarborGuard for any image found to include an affected version of Chrome for iOS. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs regression tests, and opens a pull request against affected workloads.
AvailableExploit Conditions
- Network reachabilityRequired
The attacker must reach the victim over the network by delivering a crafted HTML page, making any internet-exposed browsing session a viable attack surface.
- AuthenticationNot required
No account or credential is needed; the attacker only needs the victim to load a page the attacker controls.
- Victim interactionRequired
The victim must navigate to or be redirected to a crafted HTML page, requiring a social-engineering or malicious-link delivery step.
- Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no special conditions such as race conditions or specific memory layout.
Blast Radius
- Reads in-process memory from the Chrome renderer, exposing session tokens, cookies, and page content belonging to the current user.
- Writes to freed heap memory, allowing an attacker to corrupt renderer state and inject attacker-controlled data into the running process.
- Crashes the Chrome for iOS application by triggering heap corruption, causing immediate denial of service for the affected user session.
- Heap corruption at this severity level can chain into code execution within the renderer sandbox, enabling further privilege escalation attempts.
How HarborGuard Handles This
Available on HarborGuard: any image containing Google Chrome for iOS below version 149.0.7827.53 is flagged automatically as soon as the CVE is ingested, which typically occurs within minutes of publication. Where a customer's compliance policy permits auto-remediation, HarborGuard triggers a rebuild against the fixed version (149.0.7827.53), runs the configured regression-test suite, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled. For teams that review changes manually, the finding is routed to the designated inbox with CVSS scoring, affected image list, and a direct link to the upstream Chromium advisory so reviewers have full context before approving the rebuild.
Fix available
- Google / Chrome< 149.0.7827.53 (from 149.0.7827.53)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H