How is CVE-2026-10958 exploited?

Network reachability (required): The attacker delivers the crafted HTML page over the network, so the affected Chrome for iOS instance must be reachable or browsing content from an attacker-controlled origin. Authentication (not-required): No account or credential is needed; any unauthenticated remote attacker who can serve a page to the target can attempt the exploit. Victim interaction (required): A user must be convinced to perform specific UI gestures while viewing a crafted HTML page, making this a social-engineering-dependent exploit. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, memory-layout guessing, or other unpredictable environmental factors.

What is the impact of CVE-2026-10958?

The attacker executes arbitrary code in the context of the Chrome for iOS process on the victim's device. With code execution, the attacker reads local app data accessible to Chrome, including cached credentials, cookies, and browsing history. The attacker can write or modify files within the Chrome app sandbox, enabling persistent payload installation or data tampering. The attacker can crash or destabilize the Chrome process, causing service disruption for the affected user.

Back to search

HIGHCVE-2026-10958Published 2026-06-04Modified 2026-06-05CNA Chrome

CVE-2026-10958: Use after free in Chrome for iOS in Google Chrome on iOS prior to 149

Use after free in Chrome for iOS in Google Chrome on iOS prior to 149.0.7827.53 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code via a crafted HTML page. (Chromium security severity: High)

CVSS v3.1: 8.8
Severity: HIGH
Fixed in: 149.0.7827.53
Affected Products: 1

HarborGuard Analysis

Synopsis

A use-after-free vulnerability affects Google Chrome for iOS in versions prior to 149.0.7827.53. The flaw is reachable over the network and requires no authentication, but does require a user to perform specific UI gestures on a crafted HTML page. Successful exploitation gives the attacker arbitrary code execution on the device. A patched-image rebuild at version 149.0.7827.53 is available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection of CVE-2026-10958 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream feeds, including custom-built images that bundle Chrome for iOS. Coverage applies to images in both container registries and active CI/CD pipelines.

Available

Triage

HarborGuard is capable of scoring this CVE at 8.8 HIGH using its CVSS v3.1 vector and weighting the finding against each customer environment's compliance policy. Routed alerts are made available to the appropriate team inbox within each customer organization based on configured severity thresholds and ownership rules.

Available

Patch

A patched-image rebuild at Chrome for iOS version 149.0.7827.53 becomes available in HarborGuard the moment the fix version is confirmed in upstream advisory feeds. For customers who opt into auto-remediation, HarborGuard is capable of triggering the rebuild, running a regression test pass, and opening a PR against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The attacker delivers the crafted HTML page over the network, so the affected Chrome for iOS instance must be reachable or browsing content from an attacker-controlled origin.
AuthenticationNot required
No account or credential is needed; any unauthenticated remote attacker who can serve a page to the target can attempt the exploit.
Victim interactionRequired
A user must be convinced to perform specific UI gestures while viewing a crafted HTML page, making this a social-engineering-dependent exploit.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, memory-layout guessing, or other unpredictable environmental factors.

Blast Radius

The attacker executes arbitrary code in the context of the Chrome for iOS process on the victim's device.
With code execution, the attacker reads local app data accessible to Chrome, including cached credentials, cookies, and browsing history.
The attacker can write or modify files within the Chrome app sandbox, enabling persistent payload installation or data tampering.
The attacker can crash or destabilize the Chrome process, causing service disruption for the affected user.

How HarborGuard Handles This

Available on HarborGuard: detection of this use-after-free in Chrome for iOS is available within minutes of CVE publication for all customer images, including internally built images that bundle or depend on Chrome for iOS. Triage surfaces the 8.8 HIGH score alongside each environment's compliance policy weighting so the right team receives the alert without manual routing. Where a customer's compliance policy permits auto-remediation, HarborGuard can rebuild the affected image at the patched version 149.0.7827.53, run a regression test pass, and open a PR against affected workloads; for high-severity issues, the median time from CVE publication to merged patch PR in environments with auto-remediation enabled is around 90 minutes. For environments where auto-remediation is not enabled, the patched rebuild is staged and ready for manual promotion as soon as the team reviews the finding.

See how HarborGuard automates this

Fix available

149.0.7827.53

Affected packages

Google / Chrome
< 149.0.7827.53 (from 149.0.7827.53)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available