CVE-2026-10885 · Use after free in Chrome for iOS in Google Chrome on iOS prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code via a cr

01 · The Real Story

This is a sharp shard in a phone app, not a hole in your front door

CVE-2026-10885 is a reported use-after-free in Chrome for iOS affecting versions before 149.0.7827.53. The advertised impact is remote arbitrary code execution after a user is lured into attacker-controlled content, but on iOS that code lands in the context of the Chrome app, not a broadly reachable server or unmanaged desktop browser estate.

Google's HIGH 8.8 score reflects the technical ceiling of a memory-corruption bug, but it overstates patch urgency for most enterprises. Real-world pressure comes down because this is client-side, user-interaction dependent, limited to the Chrome-on-iOS install base, and further constrained by iOS app sandboxing and usually decent MDM app-update hygiene.

"High on paper, but in practice this is a one-click mobile app bug in a sandboxed client, not an enterprise fire drill."

02 · The Attack Path

4 steps from start to impact.

STEP 01

Deliver the lure

The attacker needs a user on an iPhone or iPad with vulnerable Chrome for iOS installed to open attacker-controlled content. Weaponized tool: a crafted web page or deep link delivered through phishing, chat, SMS, or another app. This is classic one-click browser exploitation, not unauthenticated service exposure.

Conditions required:

Target uses Chrome on iOS
Installed version is earlier than 149.0.7827.53
User opens attacker-controlled content

Where this breaks in practice:

Many enterprises do not standardize on Chrome for iOS
Mobile phishing success rates are lower than scanner-visible server exposure
Link protections, Safe Browsing, mail filtering, and mobile threat defense can disrupt delivery

Detection/coverage: Network scanners will not find this. Detection is mostly through email/web telemetry, MTD alerts, and MDM app-version inventory.

STEP 02

Trigger the dangling pointer

Once the crafted content renders, the attacker attempts to hit the freed object and reclaim memory in a useful layout. Weaponized tool: a browser exploit page using JavaScript and page-state manipulation to steer heap behavior. Bug details are typically restricted until patch adoption improves, which slows copycat exploitation at disclosure time.

Conditions required:

Reachable vulnerable code path in Chrome for iOS
Reliable trigger for the specific use-after-free
Sufficient exploit stability on the target iOS build

Where this breaks in practice:

Mobile browser exploitation is brittle across device models and iOS releases
Apple memory protections and browser hardening reduce exploit reliability
Restricted bug details delay turnkey exploit development

Detection/coverage: Exploitability is hard to confirm from logs alone; crash spikes, abnormal app restarts, and web filtering telemetry may be the only indicators.

STEP 03

Execute in the app context

If exploitation succeeds, code execution is most plausibly obtained in the vulnerable browser process or equivalent app context. Weaponized tool: an in-browser post-exploitation payload focused on session theft, page manipulation, or data access available to the app. On iOS, that is materially different from host-level compromise on a workstation.

Conditions required:

Successful memory-corruption exploitation
No intervening mitigation blocks the payload

Where this breaks in practice:

iOS sandboxing sharply limits host blast radius
No evidence in reviewed sources of an accompanying iOS privilege-escalation chain
Enterprise value is usually confined to browser-resident tokens, content, and active sessions

Detection/coverage: EDR visibility on iOS is limited; defenders usually infer impact from account telemetry, suspicious session use, or web-app anomalies rather than process-level forensics.

STEP 04

Monetize the browser foothold

The attacker still needs a second objective after browser-level execution: steal tokens, coerce the user, abuse SSO sessions, or chain into an OS-level escape. Weaponized tool: session hijack and credential-harvest tradecraft rather than a direct network pivot. This is the biggest reason the vendor's technical score does not equal enterprise patch priority.

Conditions required:

Valuable browser session or credentials present
No strong re-authentication or conditional access barriers

Where this breaks in practice:

Modern IdP controls, device binding, short-lived tokens, and re-auth can limit payoff
There is no internet-reachable service to mass exploit at scale
Blast radius is usually one user and one device at a time

Detection/coverage: Watch IdP sign-in anomalies, impossible travel, token reuse alerts, and conditional-access failures after suspected lure delivery.

03 · Intelligence Metadata

The supporting signals.

In-the-wild status	No active exploitation evidence located in reviewed sources, and not KEV-listed at time of assessment.
KEV status	Not listed in CISA KEV; no CISA due date applies.
PoC availability	No public PoC found in reviewed search results, GitHub-adjacent references, or vendor release notes. That lowers immediate attacker utility.
EPSS	No public EPSS value located for this exact CVE in reviewed sources. FIRST's public EPSS service exists, but I did not find a returned score tied to this ID in the sources reviewed.
CVSS vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H` — the key realism anchor is UI:R. This is not self-propagating or scanner-reachable.
Affected versions	Chrome for iOS before 149.0.7827.53.
Fixed version	149.0.7827.53 or later. Because this is an App Store app, remediation depends on MDM/App Store update uptake, not OS package managers or distro backports.
Exposure/scanning reality	Not meaningfully internet-scannable. Shodan/Censys/FOFA-style exposure data is largely irrelevant because the vulnerable surface is a mobile client app, not a listening service.
Disclosure date	2026-06-04.
Researcher / reporting	Not named in the provided intel, and no authoritative public attribution was confirmed in reviewed sources.

04 · The Call

noisgate verdict.

Final Verdict

↓ DOWNGRADED to MEDIUM (6.5/10)

The decisive factor is reachability: this requires user interaction on a vulnerable iOS Chrome install and yields, at most from reviewed evidence, a sandboxed mobile app foothold rather than broad enterprise compromise. With no KEV listing, no public exploit evidence, and no internet-scannable attack surface, this is a patching obligation, not a stop-the-line event.

HIGH Exposure narrowing from Chrome-on-iOS-only scope and user-interaction requirement

MEDIUM Severity downgrade from vendor 8.8 to operational MEDIUM

LOW Exact post-exploitation blast radius without public bug details

Why this verdict

Downgraded for attacker position: the exploit starts from a lure, not unauthenticated service reachability; that immediately cuts enterprise-wide exploitability versus a server bug.
Downgraded for population size: only devices running Chrome on iOS and still below 149.0.7827.53 are in scope; that is a much smaller slice than "Chrome" generically implies.
Downgraded for blast radius: on iOS, successful exploitation is constrained by app sandboxing and usually pays off as session theft or app-context abuse, not domain-wide compromise.

Why not higher?

There is no reviewed evidence of active exploitation, no KEV listing, and no public PoC lowering time-to-weaponization. Just as important, the vulnerable surface is not internet-scannable and does not create mass-exploitation conditions across a fleet the way Exchange, VPN, or edge device bugs do.

Why not lower?

It is still a browser memory-corruption issue with remote delivery and potentially severe impact for the individual user who clicks. If your workforce uses managed iPhones heavily for SSO, SaaS admin access, or privileged email, a single-device browser compromise can still expose real business data and active sessions.

05 · Compensating Control

What to do — in priority order.

Inventory vulnerable app versions — Use MDM or app inventory to identify devices running Chrome for iOS <149.0.7827.53. This is the only dependable way to scope exposure; for a MEDIUM verdict there is no mitigation SLA — go straight to the 365-day remediation window, but do the inventory work immediately because detection is version-based.
Enforce app auto-update — Confirm App Store app auto-update is enabled and MDM policy is not pinning old Chrome builds. For MEDIUM, there is no mitigation SLA — go straight to the 365-day remediation window, and auto-update is the least painful path to close the gap at fleet scale.
Harden mobile web delivery — Keep Safe Browsing, mobile threat defense, mail-link rewriting, and web filtering enabled to reduce the odds of users reaching exploit pages. These are supporting controls only; for MEDIUM, there is no mitigation SLA — go straight to the 365-day remediation window.
Watch for account-side fallout — Monitor IdP and SaaS logs for unusual mobile-origin session reuse, impossible travel, fresh device registrations, and repeated re-auth prompts. For MEDIUM, there is no mitigation SLA — go straight to the 365-day remediation window, but session telemetry is your best safety net where iOS endpoint visibility is thin.

What doesn't work

External vulnerability scanning does not help; this is a mobile client application issue, not a listening network service.
WAF rules do not solve the core problem because the exploit can be delivered from arbitrary attacker-controlled content over normal browsing paths.
Traditional endpoint EDR assumptions do not translate well to iOS; process-level exploit visibility is limited, so do not count on host telemetry to prove absence of exploitation.

06 · Verification

Crowdsourced verification payload.

Run this on an auditor workstation or CI job against an MDM-exported CSV of mobile apps or device inventory — not on the iPhone itself. Invoke it as python3 check_chrome_ios_cve_2026_10885.py inventory.csv with a CSV containing at least a device identifier plus either app_name/bundle_id and version; no elevated privileges are needed.

noisgate-verify.py

PYTHONREAD-ONLYSAFE

#!/usr/bin/env python3\n# check_chrome_ios_cve_2026_10885.py\n# Exit codes:\n#   0 = all identified Chrome for iOS installs are patched\n#   1 = one or more vulnerable installs found\n#   2 = unknown / input problem / no matching records\n\nimport csv\nimport sys\nfrom typing import List\n\nTARGET_VERSION = [149, 0, 7827, 53]\nIOS_HINTS = {"ios", "iphone", "ipad", "ipados"}\nCHROME_NAME_HINTS = {"chrome", "google chrome"}\nCHROME_BUNDLE_HINTS = {"com.google.chrome.ios", "com.google.chrome.ios.beta", "com.google.chrome"}\n\ndef normalize(s: str) -> str:\n    return (s or "").strip().lower()\n\ndef parse_version(v: str) -> List[int]:\n    if not v:\n        return []\n    parts = []\n    for token in v.strip().split('.'):\n        num = ''\n        for ch in token:\n            if ch.isdigit():\n                num += ch\n            else:\n                break\n        if num == '':\n            break\n        parts.append(int(num))\n    return parts\n\ndef cmp_versions(a: List[int], b: List[int]) -> int:\n    max_len = max(len(a), len(b))\n    a = a + [0] * (max_len - len(a))\n    b = b + [0] * (max_len - len(b))\n    if a < b:\n        return -1\n    if a > b:\n        return 1\n    return 0\n\ndef is_ios_row(row: dict) -> bool:\n    hay = ' '.join([\n        normalize(row.get('platform', '')),\n        normalize(row.get('os', '')),\n        normalize(row.get('os_family', '')),\n        normalize(row.get('device_type', ''))\n    ])\n    return any(h in hay for h in IOS_HINTS)\n\ndef is_chrome_ios_row(row: dict) -> bool:\n    app_name = normalize(row.get('app_name', ''))\n    bundle_id = normalize(row.get('bundle_id', ''))\n    package_name = normalize(row.get('package_name', ''))\n    app_id = normalize(row.get('app_id', ''))\n\n    chrome_name_match = app_name in CHROME_NAME_HINTS or ('chrome' in app_name and 'google' in app_name)\n    bundle_match = bundle_id in CHROME_BUNDLE_HINTS or package_name in CHROME_BUNDLE_HINTS or app_id in CHROME_BUNDLE_HINTS\n\n    return is_ios_row(row) and (chrome_name_match or bundle_match)\n\ndef device_label(row: dict, idx: int) -> str:\n    for key in ('device_name', 'hostname', 'serial', 'udid', 'asset_tag', 'user', 'email'):\n        val = row.get(key)\n        if val:\n            return str(val)\n    return f'row_{idx}'\n\ndef main() -> int:\n    if len(sys.argv) != 2:\n        print('UNKNOWN: usage: python3 check_chrome_ios_cve_2026_10885.py <inventory.csv>')\n        return 2\n\n    path = sys.argv[1]\n    try:\n        fh = open(path, newline='', encoding='utf-8-sig')\n    except Exception as e:\n        print(f'UNKNOWN: cannot open file: {e}')\n        return 2\n\n    vulnerable = []\n    patched = []\n    unknown = []\n    matched = 0\n\n    with fh:\n        reader = csv.DictReader(fh)\n        if not reader.fieldnames:\n            print('UNKNOWN: CSV has no header row')\n            return 2\n\n        for idx, row in enumerate(reader, start=2):\n            if not is_chrome_ios_row(row):\n                continue\n            matched += 1\n            label = device_label(row, idx)\n            version = row.get('version') or row.get('app_version') or row.get('installed_version') or ''\n            parsed = parse_version(version)\n            if not parsed:\n                unknown.append((label, version or ''))\n                continue\n            if cmp_versions(parsed, TARGET_VERSION) < 0:\n                vulnerable.append((label, version))\n            else:\n                patched.append((label, version))\n\n    if matched == 0:\n        print('UNKNOWN: no Chrome for iOS records matched the CSV filters')\n        return 2\n\n    for label, version in vulnerable:\n        print(f'VULNERABLE: {label} -> {version}')\n    for label, version in patched:\n        print(f'PATCHED: {label} -> {version}')\n    for label, version in unknown:\n        print(f'UNKNOWN: {label} -> {version}')\n\n    print(f'SUMMARY: matched={matched} vulnerable={len(vulnerable)} patched={len(patched)} unknown={len(unknown)} target>=149.0.7827.53')\n\n    if vulnerable:\n        return 1\n    if patched and not unknown:\n        return 0\n    return 2\n\nif __name__ == '__main__':\n    sys.exit(main())

07 · Bottom Line

If you remember one thing.

TL;DR

Monday morning, treat this as a mobile client patching task, not an incident-response sprint: pull MDM inventory for Chrome for iOS <149.0.7827.53, verify auto-update policy, and clean up stragglers through your normal managed-app process. Because this lands at MEDIUM, there is no noisgate mitigation SLA — go straight to the 365-day remediation window under the noisgate remediation SLA; if your identity admins or executives are heavy iPhone Chrome users, close that subset first even though this does not justify emergency change windows.

Sources

Peer Review

What defenders are saying.

Submit a review attribution: handle + country only

0 flags selected · stored anonymously

Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.