CVE-2026-11072: Use after free in WebView in Google Chrome on Android prior to 149
Use after free in WebView in Google Chrome on Android prior to 149.0.7827.53 allowed a local attacker to execute arbitrary code via a malicious file. (Chromium security severity: Medium)
Metrics
- CVSS v3.1
- 7.8
- Severity
- HIGH
- Fixed in
- 149.0.7827.53
- Affected Products
- 1
HarborGuard Analysis
Synopsis
A use-after-free vulnerability affects the WebView component in Google Chrome on Android prior to version 149.0.7827.53. The flaw is reached locally and requires no authentication, though a victim must open a malicious file, which triggers the memory corruption. Successful exploitation gives an attacker arbitrary code execution on the device. A patched-image rebuild at version 149.0.7827.53 is available on HarborGuard for affected environments.
HarborGuard Coverage
Detection of CVE-2026-11072 is available across every HarborGuard environment, with the CVE ingested from upstream feeds within minutes of publication and matched against customer images in registries and CI/CD pipelines, including custom-built Android images that bundle the Chrome WebView component.
AvailableTriage is available using the CVSS v3.1 score of 7.8 (HIGH), weighted against each customer environment's compliance policy to prioritize routing and assign the finding to the appropriate team inbox within the customer org.
AvailableA patched-image rebuild at Chrome version 149.0.7827.53 is available on HarborGuard for environments running an affected version. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite, and opens a PR against affected workloads automatically.
AvailableExploit Conditions
- Network reachabilityNot required
The attacker needs an existing shell or process on the host; no network exposure is required to trigger this vulnerability.
- AuthenticationNot required
No account or credentials are required; the attacker needs only local access to the device.
- Victim interactionRequired
The victim must open or interact with a malicious file, making social engineering a necessary part of the attack path.
- Attack complexityDetail
Exploit conditions are reliable and essentially condition-free once the malicious file is opened, with no race conditions or special memory layout requirements needed.
Blast Radius
- Successful exploitation gives the attacker arbitrary code execution in the context of the Chrome process on the Android device.
- Confidential data accessible to the Chrome process, including stored credentials, browsing history, and cookies, can be read directly.
- The attacker can modify or delete application data, session state, and files accessible to the Chrome process.
- The affected Chrome process can be crashed or forced into an unrecoverable state, disrupting the user's browsing session and any dependent functionality.
How HarborGuard Handles This
Available on HarborGuard: detection for CVE-2026-11072 activates immediately upon ingest for any customer image that bundles Google Chrome for Android below version 149.0.7827.53. The finding is scored at CVSS 7.8 HIGH and routed according to each environment's compliance policy. For customers who opt into auto-remediation, HarborGuard queues a rebuild at the fixed version (149.0.7827.53), runs regression tests against the rebuilt image, and opens a pull request targeting affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled. Where compliance policy requires manual review before patching, the finding surfaces in the assigned team inbox with full CVSS detail and remediation guidance for a direct upgrade to 149.0.7827.53.
Fix available
- Google / Chrome< 149.0.7827.53 (from 149.0.7827.53)
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H