CVE-2026-11010 · Use after free in WebShare in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer pro

01 · The Real Story

This is a trapdoor hidden behind another locked door

CVE-2026-11010 is a CWE-416 use-after-free in the Android WebShare path of Google Chrome. It affects Chrome on Android versions prior to 149.0.7827.53, and the bug sits in the browser-side share plumbing rather than being a standalone renderer RCE. In practical terms, a malicious site would first need to gain code execution in the renderer process and then steer Chrome's Android sharing flow into the vulnerable path to try for a sandbox escape.

Google's own Chromium security labeling calls this one Medium, and that is about right in enterprise reality even without an official CVSS. The decisive downgrade pressure is the prerequisite chain: renderer compromise first, Android only, and likely user-driven Web Share invocation. That makes this valuable to exploit developers building chains, but a poor candidate for mass one-click enterprise compromise by itself.

"= ASSESSED AT MEDIUM: this is a sandbox-escape helper, not a one-bug remote compromise."

02 · The Attack Path

4 steps from start to impact.

STEP 01

Land a separate renderer exploit

The attacker needs an independent browser bug to compromise Chrome's renderer process from a crafted page. Chromium's own threat model explicitly treats compromised renderers as a post-breach state and relies on sandbox and browser-process checks to contain them. Tooling: a separate renderer exploit chain, not CVE-2026-11010 itself.

Conditions required:

Victim browses to attacker-controlled content in Chrome on Android
Attacker already has a working renderer-compromise primitive
Target device runs a vulnerable Chrome for Android build

Where this breaks in practice:

This CVE is not initial access; it is dead weight without a first bug
Modern browser mitigations, exploit hardening, and fast browser patch cadence reduce availability of reliable stage-one bugs
No public exploit chain pairing this CVE with a renderer bug was found

Detection/coverage: Traditional vulnerability scanners will miss this. Detection is mostly indirect: browser crash telemetry, exploit-kit telemetry, Safe Browsing events, and managed app version inventory.

STEP 02

Reach the Android WebShare surface

Once inside the renderer, the attacker has to drive the vulnerable WebShare feature path. The Web Share API is a user-facing share mechanism, and the W3C specification ties navigator.share() to user activation, which adds workflow friction even after renderer compromise. Tooling: Web Share API / crafted HTML page invoking share behavior.

Conditions required:

Chrome for Android exposes the Web Share path on the target device
The attacker's page can invoke the share flow in the victim session
A valid user-activation context is available for share invocation

Where this breaks in practice:

Web Share is not a silent background primitive; it is tied to user-driven sharing semantics
Feature availability and permissions policy can narrow reachable cases
This is Android-specific, excluding desktop Chrome fleets

Detection/coverage: No meaningful scanner coverage. User-session recording, mobile browser telemetry, and unusual share-sheet invocation analytics are the only realistic visibility sources, and many enterprises will not have them.

STEP 03

Trigger the WebShare race/UAF

The fix commit references threading violations, race conditions, and lifecycle handling in BlobReceiver and ShareServiceImpl, including reordered cleanup and closed-state checks. That strongly suggests exploitation hinges on precise sequencing inside the Android share pipeline, not a simple deterministic parser bug. Tooling: a tailored exploit primitive against issue 496266444, likely race-oriented.

Conditions required:

Attacker can control the data and timing that reach the vulnerable WebShare code path
The target build contains the vulnerable implementation
Execution context survives long enough to win the race reliably

Where this breaks in practice:

Race-condition style memory corruption is harder to weaponize consistently across Android devices and OS versions
No public PoC or weaponized exploit was found
Bug details remain restricted, limiting copycat exploitation

Detection/coverage: Expect crash-heavy testing before reliable exploitation. Watch for Chrome ANR/crash spikes on Android and repeated failures in com.android.chrome around sharing actions.

STEP 04

Convert browser-side corruption into sandbox escape

If the UAF is successfully exploited, the attacker may cross from a sandboxed renderer into more privileged browser-side Chrome code. On Android, that means escaping the renderer's isolated_app sandbox into Chrome's app context, which is meaningful but still not the same as device-root compromise. Tooling: post-corruption browser-process exploitation and IPC abuse.

Conditions required:

The UAF yields a controllable primitive, not just a crash
The attacker can turn that primitive into code execution or equivalent control in a more privileged process
Chrome's remaining browser-process and platform defenses do not block post-escape actions

Where this breaks in practice:

Impact is generally limited to Chrome's app privileges, not full-device takeover
Additional post-escape work is needed to reach data theft or persistence objectives
Enterprise Android controls, work profiles, and app sandboxing can still constrain blast radius

Detection/coverage: Mobile EDR coverage is uneven. Best practical control is version compliance plus anomaly monitoring on managed Android devices.

03 · Intelligence Metadata

The supporting signals.

In-the-wild status	No public evidence of active exploitation found as of `2026-06-05`; not listed in CISA KEV.
PoC availability	No public weaponized PoC located. The public fix commit exists (`5678c0f8...`), but the Chromium issue remains restricted.
EPSS	`0.00032` from the user-supplied intel; that is very low, consistent with a niche post-compromise chain component rather than an internet-scale initial-access bug.
KEV status	No — absent from the CISA Known Exploited Vulnerabilities Catalog as of `2026-06-05`.
CVSS / severity baseline	There is no authoritative CVSS score or vector published for this CVE. Chromium's advisory labels it only as Medium severity.
Affected versions	Google Chrome on Android prior to `149.0.7827.53`.
Fixed version	Update to Chrome for Android `149.0.7827.53` or later. No distro-style backport stream applies here; this is a Play-distributed mobile browser package.
Exposure reality	This is not internet-scannable in any useful sense. Shodan/Censys/FOFA do not surface it because the vulnerable component is a client-side Android browser feature, not a listening service.
Disclosure and reporting	Disclosed `2026-06-04`. Chromium's release notes say it was reported by David Sievers on 2026-03-26.
Exploit-chain interpretation	Best understood as a sandbox-escape enabler after renderer compromise. That makes it important for exploit chaining, but materially less urgent than a one-bug browser RCE.

04 · The Call

noisgate verdict.

Final Verdict

= UNCHANGED to MEDIUM (5.4/10)

The single biggest factor is that the attacker must already have compromised the renderer process before this bug matters. That prerequisite pushes the CVE out of the initial-access bucket and into exploit-chain support, which is why it lands at MEDIUM instead of HIGH or CRITICAL despite the sandbox-escape angle.

HIGH Affected/fixed version and Android-only scope

MEDIUM Real-world exploitability after renderer compromise

MEDIUM User-activation and workflow friction in the Web Share path

Why this verdict

Requires a first bug: the attacker must already control a compromised renderer, which implies prior successful exploitation and sharply narrows real-world reach.
Android-only and feature-bound: only Chrome on Android is affected, and the vulnerable path sits behind WebShare, not a ubiquitous always-on parser surface.
Reliability looks non-trivial: the patch fixes threading/race/lifecycle issues, which usually means harder cross-device weaponization and lower mass-exploitation odds than a straightforward memory corruption primitive.

Why not higher?

This is not a one-CVE drive-by compromise. There is no published CVSS, no KEV entry, no public exploitation evidence, and the attack chain starts from an already-compromised renderer instead of an unauthenticated remote entry point. Those are strong downward pressures in enterprise prioritization.

Why not lower?

Sandbox escapes still matter because they are what turns renderer footholds into meaningful browser-context control. Chrome on Android is widespread, and if an attacker already has stage one, this bug could materially improve post-exploitation outcomes. That keeps it above LOW.

05 · Compensating Control

What to do — in priority order.

Force Chrome auto-update on managed Android — Use MDM/EMM managed Play controls to require com.android.chrome updates and remove version drift. For a MEDIUM verdict there is no mitigation SLA — go straight to the 365-day remediation window, but browsers are cheap to update, so collapse exposure in your next normal mobile app cycle rather than waiting for the deadline.
Restrict sensitive internal apps to managed browsers — If your mobile access stack supports app protection or conditional access, require managed Chrome/current version for high-value internal web apps. This does not fix the bug, but it reduces the value of a browser escape against unmanaged or stale devices; with MEDIUM severity, fold this into standard policy tuning rather than emergency change windows.
Watch Android Chrome crash and version telemetry — Because exploit development against racey UAFs often crashes first, sudden com.android.chrome crash spikes on Android are worth triage. Pair crash data with app-version inventory to find lingering vulnerable cohorts during the remediation window.

What doesn't work

Perimeter vulnerability scanning doesn't help because there is no externally exposed service to probe.
A WAF won't fix this; the dangerous step happens inside the client browser after page rendering and feature invocation.
Password resets, MFA prompts, or IdP hardening are good hygiene but irrelevant to the memory-safety flaw itself.

06 · Verification

Crowdsourced verification payload.

Run this on an auditor workstation with the Android SDK adb installed, against a USB- or network-connected Android device that has Chrome installed. Example: ./check_cve_2026_11010.sh ABC123DEF456; no root is required, but you do need adb access to the device and permission to query package metadata.

noisgate-verify.sh

BASHREAD-ONLYSAFE

#!/usr/bin/env bash
# check_cve_2026_11010.sh
# Verify whether Google Chrome on Android is vulnerable to CVE-2026-11010
# Affected: Chrome on Android < 149.0.7827.53
# Output: VULNERABLE / PATCHED / UNKNOWN
# Exit codes: 0=PATCHED, 1=VULNERABLE, 2=UNKNOWN

set -u

PKG="com.android.chrome"
FIXED_VERSION="149.0.7827.53"
SERIAL="${1:-}"
ADB_BIN="${ADB_BIN:-adb}"

adb_cmd() {
  if [[ -n "$SERIAL" ]]; then
    "$ADB_BIN" -s "$SERIAL" "$@"
  else
    "$ADB_BIN" "$@"
  fi
}

version_lt() {
  # returns 0 if $1 < $2
  local IFS=.
  local i
  local -a a=($1) b=($2)
  local len=${#a[@]}
  if (( ${#b[@]} > len )); then
    len=${#b[@]}
  fi
  for ((i=0; i<len; i++)); do
    local ai=${a[i]:-0}
    local bi=${b[i]:-0}
    if ((10#$ai < 10#$bi)); then
      return 0
    elif ((10#$ai > 10#$bi)); then
      return 1
    fi
  done
  return 1
}

if ! command -v "$ADB_BIN" >/dev/null 2>&1; then
  echo "UNKNOWN - adb not found in PATH"
  exit 2
fi

if ! adb_cmd get-state >/dev/null 2>&1; then
  echo "UNKNOWN - no reachable adb device"
  exit 2
fi

PACKAGE_INFO="$(adb_cmd shell dumpsys package "$PKG" 2>/dev/null || true)"
if [[ -z "$PACKAGE_INFO" ]]; then
  echo "UNKNOWN - unable to query package info for $PKG"
  exit 2
fi

VERSION="$(printf '%s\n' "$PACKAGE_INFO" | sed -n 's/.*versionName=\([^[:space:]]*\).*/\1/p' | head -n1)"
if [[ -z "$VERSION" ]]; then
  VERSION="$(adb_cmd shell cmd package list packages -f "$PKG" 2>/dev/null | sed -n 's/.*versionName=\([^[:space:]]*\).*/\1/p' | head -n1)"
fi

if [[ -z "$VERSION" ]]; then
  echo "UNKNOWN - Chrome not installed or versionName unavailable"
  exit 2
fi

if version_lt "$VERSION" "$FIXED_VERSION"; then
  echo "VULNERABLE - $PKG version $VERSION is older than fixed $FIXED_VERSION"
  exit 1
else
  echo "PATCHED - $PKG version $VERSION is at or above fixed $FIXED_VERSION"
  exit 0
fi

07 · Bottom Line

If you remember one thing.

TL;DR

Monday morning, pull MDM inventory for com.android.chrome across your managed Android fleet and identify anything below 149.0.7827.53. For a MEDIUM finding there is noisgate mitigation SLA — no mitigation SLA, go straight to the 365-day remediation window — but browsers are operationally easy to update, so use your next standard mobile update cycle to force compliance rather than leaving stragglers hanging around. Have managed devices on 149.0.7827.53+ well before the noisgate remediation SLA ceiling of <= 365 days, and separately document residual risk for BYOD/unmanaged phones because network scanners will not find this class of exposure.

Sources

Peer Review

What defenders are saying.

Submit a review attribution: handle + country only

0 flags selected · stored anonymously

Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.