CVE-2026-10959 · Use after free in Input in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Hi

01 · The Real Story

This is a burglar getting into the apartment lobby, not the penthouse

CVE-2026-10959 is a use-after-free in Chrome's Input component that lets a malicious web page trigger arbitrary code execution inside Chrome's sandbox on Android. The public records describe affected builds as Google Chrome on Android prior to 149.0.7827.53; Google then shipped Chrome for Android 149.0.7827.59 on June 2, 2026, and explicitly states Android carries the same security fixes as the corresponding desktop 149.0.7827.53/54 release.

The vendor's HIGH 8.8 baseline is technically defensible in CVSS terms, but it overstates enterprise patch urgency for standalone prioritization. The decisive reality is that this is sandboxed renderer code execution with required user interaction, no public exploit chain, no KEV entry, and a microscopic EPSS signal; on its own, it is usually a single-app compromise primitive, not full device takeover.

"Renderer-only RCE on Android Chrome sounds scary, but without a sandbox escape or exploitation evidence it is not a fire drill."

02 · The Attack Path

4 steps from start to impact.

STEP 01

Deliver a crafted HTML page

The attacker needs the victim to load attacker-controlled web content in Chrome on Android. In practice that means phishing, malvertising, a redirect, or compromising a site the target already visits.

Conditions required:

Victim uses Chrome on Android
Victim visits attacker-controlled or attacker-influenced web content
Affected Chrome build is still installed

Where this breaks in practice:

Requires user interaction rather than silent network reachability
Mobile enterprise users are often funneled through safer app stores, MDM-managed browsers, and link protections
Chrome auto-update shortens the vulnerable population quickly after rollout

Detection/coverage: Traditional network scanners will not see this. Coverage is indirect through mobile threat defense, secure web gateway telemetry, URL-click protection, and Chrome version inventory via MDM/EMM.

STEP 02

Trigger the Input use-after-free

A crafted page abuses the vulnerable Input code path to corrupt memory and obtain code execution in the renderer process. This is a browser-memory-corruption step; the attack surface is the browser engine, not an exposed enterprise service.

Conditions required:

Specific vulnerable execution path in Input must be reachable from web content
Exploit must be reliable against the target Chrome build and device class

Where this breaks in practice:

No public PoC was surfaced in the advisory trail reviewed
Memory-corruption reliability on fragmented Android hardware/browser builds is non-trivial
Google sandboxing and exploit mitigations reduce straightforward weaponization

Detection/coverage: Exploitability is generally not verified by vuln scanners. Crash telemetry, browser instability spikes, and mobile EDR/MTD exploit detections are the practical signals.

STEP 03

Operate inside the sandbox

Successful exploitation yields code execution inside Chrome's sandbox, not at the Android OS level. That gives the attacker a foothold in the browser process context, but the sandbox materially limits direct system impact.

Conditions required:

Renderer code execution achieved
Attacker can work within sandbox constraints

Where this breaks in practice:

The CVE does not provide a sandbox escape
Direct access to the broader device, other apps, and privileged OS resources remains constrained
Enterprise impact is usually limited to the user session unless chained with another flaw

Detection/coverage: Most asset scanners will still only report version-based exposure. Endpoint-side detections are needed to catch post-exploitation behavior inside the app sandbox.

STEP 04

Chain to meaningful device compromise

To turn this into full device compromise or durable enterprise impact, the attacker usually needs a second bug such as a sandbox escape, privilege escalation, or account/session-theft objective. That second-stage dependency is the biggest reason this CVE should not be treated like a one-shot endpoint takeover.

Conditions required:

A second exploit or a high-value browser-resident target is available
Victim session contains worthwhile enterprise access

Where this breaks in practice:

No linked second-stage exploit evidence was identified
Chain construction sharply narrows the real attacker set
Without a chain, the blast radius is far below a typical unauthenticated server RCE

Detection/coverage: Look for suspicious account activity, token abuse, impossible travel, and mobile-browser anomaly telemetry rather than expecting perimeter scanners to validate chaining.

03 · Intelligence Metadata

The supporting signals.

In-the-wild status	No public in-the-wild evidence found in the reviewed sources; not listed in CISA KEV as of this assessment.
Proof-of-concept availability	No public PoC identified in the GHSA, NVD record, or Chrome release notes reviewed. That does not mean exploit development is impossible; it means there is no public commodity path yet.
EPSS	0.0008 (~0.08%) from the user-supplied intel. Accessible FIRST documentation confirms EPSS as the authoritative data source, but the exact percentile for this CVE was not surfaced in the browsable public pages reviewed.
KEV status	Not KEV-listed. CISA's KEV catalog is the authoritative source for known exploitation prioritization, and this CVE was not present there during this reassessment.
CVSS vector interpretation	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H` maps to remote, low-complexity, no-privilege exploitation with required user interaction. The important practical limiter is `UI:R` plus sandboxed impact.
Affected versions	Public records describe Chrome on Android prior to 149.0.7827.53 as affected; Google separately released Chrome for Android 149.0.7827.59 and states Android contains the same security fixes as desktop `149.0.7827.53/54`.
Fixed versions	Treat Chrome for Android 149.0.7827.59 or later as the Android patched train. For reference, Google says the Android build contains the same security fixes as the desktop 149.0.7827.53/54 release.
Scanning / exposure reality	Client-side software; not meaningfully internet-scannable. Shodan/Censys/FOFA/GreyNoise-style exposure counts are largely irrelevant here because Chrome on Android is not a listening server surface. Inference based on product type and advisory scope.
Disclosure timeline	June 2, 2026: Google shipped Chrome for Android 149.0.7827.59. June 4, 2026: NVD published the CVE record. June 5, 2026: GitHub Advisory Database published GHSA-r535-vj4v-w8rf.
Reporter / source	Chrome's desktop release notes attribute CVE-2026-10959 as reported by Google on 2026-04-28.

04 · The Call

noisgate verdict.

Final Verdict

↓ DOWNGRADED to MEDIUM (5.9/10)

The single most important downward pressure is that the bug yields code execution only inside Chrome's sandbox on Android. That means the flashy CVSS outcome overstates real-world enterprise impact unless an attacker also has a working second-stage chain or a very specific browser-resident objective.

HIGH Exploit preconditions and sandbox-limited impact

MEDIUM Enterprise prevalence and operational urgency across managed Android fleets

MEDIUM Absence of public exploitation or public PoC at time of review

Why this verdict

Downgraded for sandbox-only impact: the advertised outcome is arbitrary code execution inside a sandbox, not a full Android compromise primitive.
Downgraded for user-interaction requirement: the attacker needs the victim to open crafted web content, which implies phishing, malvertising, or site compromise rather than direct remote reachability.
Downgraded for weak threat telemetry: no KEV listing, no public exploitation evidence, and EPSS 0.0008 all argue against emergency fleet disruption.
Still not LOW: Chrome is ubiquitous, the attack is remote, and browser-memory-corruption bugs are valuable chain components when paired with a sandbox escape or session objective.

Why not higher?

It is not higher because this CVE does not deliver full device compromise by itself; the documented impact stops at renderer-level execution within Chrome's sandbox. There is also no public evidence here of active exploitation, KEV inclusion, or a broadly available exploit chain that would justify treating it like an urgent outbreak-grade browser zero-day.

Why not lower?

It is not lower because remote browser memory corruption on a massively deployed client remains a meaningful enterprise risk class. If a user on an affected Android device hits the wrong page, the attacker can still gain execution inside the browser process, which is more than mere nuisance or backlog hygiene.

05 · Compensating Control

What to do — in priority order.

Force Chrome auto-update on Android — Use MDM/EMM policy to verify managed Android devices move to 149.0.7827.59+ and stop lagging on pre-fix builds. For a MEDIUM verdict there is no mitigation SLA; use normal operations and complete patch remediation within the 365-day window, but most fleets should finish far sooner because this is a core browser.
Reduce risky web delivery paths — Apply or tighten secure web gateway, mobile threat defense, DNS filtering, and phishing-resistant link protection for Android users so fewer malicious pages ever render in Chrome. There is no mitigation SLA — go straight to the 365-day remediation window, but these controls are useful immediately if patch rollout is uneven.
Inventory browser versions from MDM — Pull package-version inventory for com.android.chrome and target only devices below the fixed train to avoid blind spots. For this MEDIUM finding, keep it in your normal remediation queue and close version drift within the 365-day remediation deadline.
Harden web-to-SSO paths — Because renderer compromise often aims at session theft rather than OS takeover, prioritize stronger session protections around enterprise apps accessed from mobile browsers, including re-authentication for sensitive actions and shorter token lifetimes where feasible. This is compensating hardening, not a substitute for the browser update, and there is no mitigation SLA attached to it.

What doesn't work

Perimeter vulnerability scanning doesn't help much here because Chrome on Android is a client application, not an exposed service.
WAF tuning is mostly irrelevant unless you control the exact malicious site path; this is a browser-side memory corruption issue triggered by rendered content.
Assuming the sandbox makes patching optional is wrong; the sandbox is the reason this is not HIGH/CRITICAL, not a reason to ignore the fix.

06 · Verification

Crowdsourced verification payload.

Run this on an auditor workstation with adb installed, not on the Android device itself. Invoke it as ./check-cve-2026-10959.sh <device-serial> or ./check-cve-2026-10959.sh for a single connected device; no root is required, but the device must allow ADB and expose package info for com.android.chrome.

noisgate-verify.sh

BASHREAD-ONLYSAFE

#!/usr/bin/env bash
# check-cve-2026-10959.sh
# Determine whether an Android device's Google Chrome version is vulnerable to CVE-2026-10959.
# Vulnerable: Chrome on Android versions prior to 149.0.7827.53
# Practical patched train from Google Android release: 149.0.7827.59+
# Output: VULNERABLE / PATCHED / UNKNOWN
# Exit codes: 0=PATCHED, 1=VULNERABLE, 2=UNKNOWN, 3=usage/adb error

set -u

TARGET_VERSION="149.0.7827.53"
PACKAGE="com.android.chrome"
SERIAL="${1:-}"

adb_cmd() {
  if [[ -n "$SERIAL" ]]; then
    adb -s "$SERIAL" "$@"
  else
    adb "$@"
  fi
}

version_lt() {
  # returns 0 if $1 < $2
  local IFS=.
  local i
  local -a a=($1) b=($2)
  local len=${#a[@]}
  [[ ${#b[@]} -gt $len ]] && len=${#b[@]}
  for ((i=0; i<len; i++)); do
    local ai=${a[i]:-0}
    local bi=${b[i]:-0}
    if ((10#$ai < 10#$bi)); then
      return 0
    elif ((10#$ai > 10#$bi)); then
      return 1
    fi
  done
  return 1
}

if ! command -v adb >/dev/null 2>&1; then
  echo "UNKNOWN: adb not found in PATH"
  exit 3
fi

STATE="$(adb_cmd get-state 2>/dev/null)"
if [[ "$STATE" != "device" ]]; then
  echo "UNKNOWN: no connected/authorized Android device${SERIAL:+ for serial $SERIAL}"
  exit 2
fi

PKG_DUMP="$(adb_cmd shell dumpsys package "$PACKAGE" 2>/dev/null | tr -d '\r')"
if [[ -z "$PKG_DUMP" ]]; then
  echo "UNKNOWN: unable to query package $PACKAGE"
  exit 2
fi

VERSION_NAME="$(printf '%s\n' "$PKG_DUMP" | sed -n 's/.*versionName=\([^ ]*\).*/\1/p' | head -n1)"
if [[ -z "$VERSION_NAME" ]]; then
  VERSION_NAME="$(adb_cmd shell cmd package dump "$PACKAGE" 2>/dev/null | tr -d '\r' | sed -n 's/.*versionName=\([^ ]*\).*/\1/p' | head -n1)"
fi

if [[ -z "$VERSION_NAME" ]]; then
  echo "UNKNOWN: Chrome installed state/version could not be determined"
  exit 2
fi

if version_lt "$VERSION_NAME" "$TARGET_VERSION"; then
  echo "VULNERABLE: $PACKAGE version $VERSION_NAME is older than $TARGET_VERSION"
  exit 1
else
  echo "PATCHED: $PACKAGE version $VERSION_NAME is at or above $TARGET_VERSION"
  exit 0
fi

07 · Bottom Line

If you remember one thing.

TL;DR

Monday morning: pull your MDM inventory for Chrome on Android, identify devices below the fixed train, and roll them into your normal browser remediation workflow. Because this reassesses to MEDIUM and there is no KEV or active exploitation evidence, there is no noisgate mitigation SLA — go straight to the 365-day remediation window; that said, browsers should not sit that long in practice, so complete the actual Chrome update well before the noisgate remediation SLA limit of 365 days and use web filtering / mobile threat defense only as temporary exposure reduction, not as closure.

Sources

Peer Review

What defenders are saying.

Submit a review attribution: handle + country only

0 flags selected · stored anonymously

Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.