CVE-2026-10932 · Use after free in UI in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker to potentially exploit heap corruption via

01 · The Real Story

This is a loaded mousetrap inside a moving car, dangerous when triggered but not easy to hit at scale

CVE-2026-10932 is a use-after-free in Chrome UI affecting Google Chrome on Android before the fixed 149 branch security release. Google’s June 2, 2026 Android stable note shipped Chrome 149.0.7827.59 and explicitly says Android carries the same security fixes as the corresponding desktop 149.0.7827.53/54 release, where CVE-2026-10932 is listed as a High severity bug. Practically, your Android exposure is devices still running older Chrome for Android builds, especially pre-149 stable or lagging 149 builds that have not yet picked up the Android rollout.

The vendor’s 8.8/HIGH score is technically defensible for a memory-corruption browser bug, but it overstates the patch urgency for most enterprises. This is Android-only, requires user interaction, has no KEV listing, no public in-the-wild evidence located, and a very low EPSS. The biggest real-world downgrade is attacker reach: this is not an internet-facing server bug, not wormable, and not a one-packet takeover; it is a client-side browser exploit that still needs a user to hit the page and an exploit chain reliable enough to survive Chrome’s sandboxing and Android-specific process isolation.

"Real bug, real memory corruption, but it is still a user-driven Android browser exploit with no field evidence"

02 · The Attack Path

4 steps from start to impact.

STEP 01

Get the target onto a hostile page

The attacker needs Chrome on Android to render attacker-controlled web content. In practice that means phishing, malvertising, SEO-poisoned links, in-app link opens, or compromised legitimate sites delivering exploit HTML/JS. The weaponized tool here is a malicious landing page carrying trigger logic and environment checks.

Conditions required:

Target uses Chrome on Android
Target visits attacker-controlled or attacker-influenced content
Network path allows access to the page

Where this breaks in practice:

User interaction is required
Enterprise mobile fleets often funnel links through email security, mobile threat defense, or safe browsing controls
A meaningful slice of enterprise Android browsing is inside managed work profiles, not arbitrary sideloaded browsers

Detection/coverage: Traditional vuln scanners do not see this step. Coverage is mostly indirect: phishing telemetry, DNS/web proxy logs, Safe Browsing alerts, and mobile threat defense telemetry.

STEP 02

Trigger the UI use-after-free

The hostile page must drive Chrome’s vulnerable UI code path into a dangling-pointer condition and then reclaim or reshape heap state for corruption. The weaponized tool here is crafted HTML/JavaScript tuned to the affected build and device behavior. A crash is easy; controlled exploitation is the hard part.

Conditions required:

Vulnerable Chrome for Android version is present
The specific UI path is reachable from web content
Exploit logic is matched to the target branch/device behavior

Where this breaks in practice:

Use-after-free bugs are branch-sensitive and often flaky across device models
Modern Chrome heap hardening raises the bar from crash to code execution
Bug details are typically embargoed until most users are updated, slowing commodity weaponization

Detection/coverage: Crash telemetry, Play Protect, and vendor/browser crash analytics may see failed exploitation, but enterprise defenders usually do not get deterministic signatures for a fresh client-side Chrome bug.

STEP 03

Convert corruption into meaningful code execution

After memory corruption, the attacker still needs a reliable exploit primitive such as controlled read/write, object confusion, or control-flow influence. The weaponized tool here is a device- and build-specific browser exploit chain, usually with heap grooming and mitigation bypasses. This is where many proof-of-concept crashes die.

Conditions required:

Attacker can stabilize the corruption primitive
Target architecture and build are supported by the exploit
Mitigations do not collapse the chain

Where this breaks in practice:

Exploit reliability on Android is weaker than on homogeneous desktop fleets
ARM64, Chrome sandboxing, and process isolation reduce exploit portability
No public PoC or observed campaign lowers the odds of broad opportunistic use

Detection/coverage: No dependable scanner coverage. Detection is mostly behavioral: abnormal Chrome crashes, repeated renderer exits, MTD/EDR signals, or device forensics after suspected compromise.

STEP 04

Move from browser compromise to business impact

If exploitation succeeds, the attacker can likely act within the compromised browsing context and may reach session data, rendered content, or same-process data. The weaponized tool here is a post-exploitation browser payload for session theft, webmail/SSO abuse, or follow-on sandbox escape attempts. Full device takeover is not guaranteed from this CVE alone.

Conditions required:

Successful browser compromise
Valuable session material exists in the reachable browser context
No downstream control interrupts exfiltration or follow-on actions

Where this breaks in practice:

Chrome on Android uses sandboxed helper processes and partial/full site isolation depending on device capabilities
Low-memory Android behavior and per-site isolation can limit cross-site blast radius
A second bug may be required for full device escape or durable persistence

Detection/coverage: Session abuse may surface in IdP logs, impossible-travel detections, cookie theft detections, or anomalous app access; the browser exploit itself remains hard to catch directly.

03 · Intelligence Metadata

The supporting signals.

In-the-wild status	No public exploitation evidence located in the sources reviewed, and Google’s release note does not call out active exploitation.
KEV status	Not listed in the CISA KEV catalog.
EPSS	0.00068 (~0.068%), which is extremely low and consistent with a bug that is hard to operationalize at scale.
PoC availability	No public PoC found. The Chromium issue exists but remains access-restricted, which is normal for fresh browser memory-corruption bugs.
Vendor severity baseline	HIGH 8.8 from the vendor/CNA, vector `AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H`.
Vector interpretation	Remote + no auth helps the attacker, but UI:R is the real brake: this only fires when the victim browses to hostile content.
Affected versions	Chrome on Android prior to the fixed 149 security release. For enterprise inventory, treat Android Chrome < 149.0.7827.59 as exposed unless you have stronger vendor-channel evidence.
Fixed versions	Desktop security fix is in 149.0.7827.53/54; Google states the Android release 149.0.7827.59 contains the same security fixes.
Exposure and scanning reality	Internet exposure telemetry is basically N/A here. Shodan/Censys/FOFA do not enumerate managed handset app versions, so you need EMM/MDM inventory or `adb`/local package data, not perimeter scanning.
Disclosure and reporter	Disclosed 2026-06-04; Chrome release notes attribute the bug to Google, reported 2026-04-10.

04 · The Call

noisgate verdict.

Final Verdict

↓ DOWNGRADED to MEDIUM (6.3/10)

The decisive downgrade factor is attacker reach: this is a user-driven Android client-side browser bug, not an unauthenticated internet-facing service flaw. With no KEV listing, no public exploitation evidence, and very low EPSS, the probability of broad opportunistic abuse across an enterprise fleet is materially lower than the vendor CVSS suggests.

HIGH Assessment that this is a real memory-corruption bug fixed in Chrome 149 security releases

MEDIUM Assessment that real-world enterprise urgency is lower than vendor HIGH because of attacker-position and reach friction

LOW Precise exploit reliability across Android models, because the underlying bug details remain restricted

Why this verdict

Downgrade for attacker position: the attacker is *unauthenticated remote*, but only if they can first get a user onto hostile web content; that is a prior delivery problem, not direct service reach.
Downgrade for exposure population: this is Chrome on Android, not cross-platform Chrome desktop, so the reachable enterprise population is narrower from the start.
Downgrade for chain complexity: a use-after-free gives memory corruption, but reliable exploitation on Android still needs device/build-specific stabilization beyond just making Chrome crash.
Downgrade for blast radius controls: Chrome on Android uses sandboxed helper processes, and site isolation is partial or fuller depending on device RAM and configuration, which constrains cross-site payoff on many devices.
Downgrade for threat intel: no KEV, no public PoC found, and EPSS 0.00068 all argue against immediate mass exploitation pressure.

Why not higher?

This is not a direct-to-service RCE that every external scanner can find and every botnet can hit. The attack requires a victim browsing event, a vulnerable Android Chrome build, and a stable exploit chain that survives modern browser and Android mitigations; that combination is exactly why it does not earn a noisgate HIGH or CRITICAL.

Why not lower?

It is still a real browser memory-safety bug in a massively deployed client, and successful exploitation can expose authenticated web sessions and sensitive rendered content. If you have a large managed Android fleet with executives, admins, or high-risk mobile users, the consequence side is serious enough that this should not be thrown into backlog hygiene.

05 · Compensating Control

What to do — in priority order.

Enforce managed Chrome updates — Push Chrome through Managed Google Play / EMM and verify devices are actually receiving current stable builds. For this MEDIUM verdict there is no noisgate mitigation SLA; use this as an operational control while you drive toward the 365-day remediation window.
Inventory Android Chrome versions centrally — Do not rely on perimeter scanners; pull package-version data from your MDM/EMM and flag Chrome for Android < 149.0.7827.59. Again, no mitigation SLA — go straight to the remediation program, but close visibility gaps now because mobile app patch lag is usually the real problem.
Reduce unmanaged browsing risk for high-value users — For execs, admins, and privileged mobile users, restrict sideloading, keep Safe Browsing enabled, and prefer managed work-profile browsing paths. This does not replace patching, but it lowers the odds of step 1 succeeding while you complete remediation inside the 365-day window.
Monitor for suspicious mobile session reuse — Because browser exploitation often cashes out as session theft rather than loud malware, watch IdP, mail, and SaaS logs for anomalous token use from Android users. There is no mitigation SLA on a MEDIUM call, but this is a cheap way to catch business impact if exploitation does occur before remediation.

What doesn't work

Perimeter vulnerability scanning: it does not tell you which handsets run a vulnerable Chrome build.
MFA by itself: it helps account abuse generally, but it does not stop a browser memory-corruption exploit from executing in the victim’s session.
Server-side WAF rules: this is a client-side browser bug; a WAF may block some delivery paths but cannot be trusted as a primary control.

06 · Verification

Crowdsourced verification payload.

Run this from an auditor workstation with adb installed against a USB- or network-connected Android device. Example: ./check_chrome_android_cve_2026_10932.sh ABC123DEF or, if only one device is connected, ./check_chrome_android_cve_2026_10932.sh. It needs adb shell access to query the package manager; no root is required.

noisgate-verify.sh

BASHREAD-ONLYSAFE

#!/usr/bin/env bash
# check_chrome_android_cve_2026_10932.sh
# Detect whether Google Chrome on Android is patched for CVE-2026-10932.
# Logic: Chrome for Android 149.0.7827.59 contains the same security fixes as
# desktop 149.0.7827.53/54, where CVE-2026-10932 is listed.
# Exit codes:
#   0 = PATCHED
#   1 = VULNERABLE
#   2 = UNKNOWN

set -u

PKG="com.android.chrome"
FIXED="149.0.7827.59"
SERIAL="${1:-}"
ADB=(adb)

if [[ -n "$SERIAL" ]]; then
  ADB+=( -s "$SERIAL" )
fi

ver_to_int() {
  local IFS=.
  local parts=($1)
  local a=${parts[0]:-0}
  local b=${parts[1]:-0}
  local c=${parts[2]:-0}
  local d=${parts[3]:-0}
  printf "%03d%03d%03d%03d\n" "$a" "$b" "$c" "$d"
}

if ! "${ADB[@]}" get-state >/dev/null 2>&1; then
  echo "UNKNOWN: adb cannot reach the target device"
  exit 2
fi

VERSION=$("${ADB[@]}" shell dumpsys package "$PKG" 2>/dev/null | tr -d '\r' | sed -n 's/.*versionName=\([^[:space:]]*\).*/\1/p' | head -n1)

if [[ -z "$VERSION" ]]; then
  VERSION=$("${ADB[@]}" shell cmd package list packages -f "$PKG" 2>/dev/null | tr -d '\r' >/dev/null; \
            "${ADB[@]}" shell dumpsys package "$PKG" 2>/dev/null | tr -d '\r' | grep -m1 'versionName=' | cut -d= -f2)
fi

if [[ -z "$VERSION" ]]; then
  echo "UNKNOWN: package $PKG not found or version unreadable"
  exit 2
fi

CUR=$(ver_to_int "$VERSION")
MIN=$(ver_to_int "$FIXED")

if [[ "$CUR" -ge "$MIN" ]]; then
  echo "PATCHED: $PKG version $VERSION >= $FIXED"
  exit 0
else
  echo "VULNERABLE: $PKG version $VERSION < $FIXED"
  exit 1
fi

07 · Bottom Line

If you remember one thing.

TL;DR

Monday morning, treat this as a managed mobile-browser hygiene issue, not a fire drill. Pull an Android Chrome version report from your EMM/MDM, identify devices below 149.0.7827.59, and make sure Chrome is being delivered through managed update channels. Because this is MEDIUM, there is no noisgate mitigation SLA — go straight to the 365-day remediation window; your noisgate remediation SLA is ≤ 365 days to get vulnerable Android Chrome instances onto the fixed branch. If you have high-risk mobile users, tighten browsing controls and monitor session abuse now, but do not let this displace KEV-listed or actively exploited priorities.

Sources

Peer Review

What defenders are saying.

Submit a review attribution: handle + country only

0 flags selected · stored anonymously

Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.