← Back to Feed CACHED · 2026-05-17 09:42:19 · cache_key CVE-2025-29912
CVE-2026-11072 · CWE-416 · Disclosed 2026-06-04

Use after free in WebView in Google Chrome on Android prior to 149

ASSESSED — NOISGATE V0.5
Vendor
Reassessed
Verdict:
01 · The Real Story

This is a blade hidden inside a locked toolbox, not a tripwire on your internet edge

CVE-2026-11072 is a use-after-free in Android WebView/Chrome WebView code affecting Google Chrome on Android before 149.0.7827.53. In plain terms, malformed content can make WebView reference memory after it has been released, which can crash the component or, in the worst case, turn memory corruption into attacker-controlled code execution. The affected population is Android devices using vulnerable Chrome/WebView builds, not Windows, macOS, Linux, or server-side Chrome consumers.

Google's HIGH / 7.8 score is technically defensible in a vacuum because memory-corruption plus arbitrary code execution is never trivial. But for enterprise patch prioritization, that label overstates the fleet-wide urgency: the attacker needs a local position on the device and user interaction, there is no KEV listing, the supplied EPSS is extremely low, and the blast radius is constrained to the subset of your managed Android/WebView estate rather than your core desktop or internet-facing fleet.

"Serious bug, wrong fire drill: this is Android-only and needs a local foothold first."
02 · The Attack Path

4 steps from start to impact.

STEP 01

Land code on the device with a malicious app or local foothold

The attacker first needs code execution or meaningful local presence on the Android handset. In practice that means a sideloaded app, a trojanized app from a third-party store, an already-compromised device, or hands-on local access. The practical weapon here is usually a custom Android app dropper rather than an off-the-shelf exploit pack.
Conditions required:
  • Target is an Android device with vulnerable Chrome/WebView code below 149.0.7827.53
  • Attacker can place or run a local app, or otherwise gain local foothold on the device
  • Enterprise allows app install paths broad enough for malicious code to land
Where this breaks in practice:
  • This is post-initial-access by definition; the attacker is already on the device
  • Managed Android fleets often restrict sideloading and unknown app sources
  • Play Protect, MDM app allowlists, and mobile threat defense reduce reach
Detection/coverage: Standard network vulnerability scanners will miss this. Detection is mostly MDM/mobile-threat-defense telemetry, app inventory, sideload events, and device posture controls.
STEP 02

Drive the victim into vulnerable WebView content

The local foothold must get the user to open or interact with content that is rendered through the vulnerable WebView path. A common implementation is a malicious in-app HTML payload or a local app invoking a WebView-backed activity. The CVSS UI:R matters here: a user action is part of the chain.
Conditions required:
  • A reachable app flow exists that renders attacker-controlled content in WebView
  • Victim performs the needed tap/open/navigation action
Where this breaks in practice:
  • Not every enterprise Android app exposes attacker-controlled WebView surfaces
  • User interaction requirements lower reliability and speed of exploitation
  • App sandboxing and content restrictions can block the exact trigger path
Detection/coverage: Low direct scanner coverage. Look for suspicious deep links, unusual app-to-app intents, and anomalous WebView crashes in app telemetry or crash reporting.
STEP 03

Trigger the use-after-free in WebView

The exploit then exercises the memory lifecycle bug inside WebView until freed memory is reused in an attacker-controlled way. Real weaponization would typically use a custom memory-corruption exploit tuned to the specific Chrome/WebView build and device architecture. This is where most copycat attempts fail.
Conditions required:
  • Exact vulnerable code path is reachable in the installed build
  • Exploit is stable enough for the target device, ABI, and mitigations
Where this breaks in practice:
  • Browser/WebView memory-corruption exploitation on modern Android is fragile
  • Version drift across OEMs and Play-delivered component updates hurts exploit reliability
  • No public exploit tooling or broad in-the-wild tradecraft was identified
Detection/coverage: Possible signals include repeated renderer crashes, tombstones, and anomalous crash loops. Vulnerability scanners generally do not verify exploitability here; they only flag version state.
STEP 04

Convert renderer-level code exec into useful impact

If the bug is successfully exploited, the attacker gets arbitrary code execution in the compromised WebView/Chrome context and can steal data handled there, manipulate sessions, or chain onward. The practical impact depends on what app hosts the WebView and what additional escapes or privileges are available. Without a follow-on chain, the attacker is still constrained by Android's app and process boundaries.
Conditions required:
  • Exploit achieves reliable code execution
  • The target app/WebView session handles sensitive enterprise data or auth material
Where this breaks in practice:
  • App sandboxing limits blast radius
  • A broader device compromise may require a second bug or existing elevated privileges
  • Enterprise mobile apps may already gate sensitive actions behind re-auth or device trust
Detection/coverage: Monitor app crash artifacts, suspicious session reuse, mobile EDR/MTD alerts, and abnormal WebView-hosting app behavior. External attack-surface tools provide little value because this is not an internet-exposed service.
03 · Intelligence Metadata

The supporting signals.

In-the-wild statusNo confirmed active exploitation found in the sources reviewed; the supplied intel also says KEV listed: No.
KEV statusNot listed in CISA KEV at time of review. That matters because Chrome bugs that are being burned at scale often show up there quickly when exploitation is confirmed.
Proof-of-concept availabilityNo public PoC or Metasploit-grade exploit located in the reviewed sources. For a modern Android WebView UAF, absence of public tooling is meaningful downward pressure on urgency.
EPSSSupplied intel: 0.00009. That is effectively noise-floor exploit probability, and no confirmed percentile was provided in the input or verified from a primary per-CVE EPSS record.
CVSS vector meaningCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H means local attack vector, no privileges, user interaction required, and high theoretical impact if exploitation succeeds. The local vector is the big reality check here.
Affected versionsGoogle Chrome on Android prior to 149.0.7827.53 per the supplied CVE text. Treat Android devices using vulnerable WebView provider builds as exposed.
Fixed versionFix threshold from supplied intel: 149.0.7827.53 or later. On Android, actual deployed provider version may be Chrome or Android System WebView depending OS/provider selection.
Exposure profileClient-side mobile exposure only. There is no meaningful Shodan/Censys/FOFA internet-facing footprint because this is not a listening service; exposure exists only on-device where vulnerable WebView content is rendered.
Disclosure date2026-06-04 per supplied intel, aligning with the Chrome 149 security-release window.
Research / reporting attributionNot publicly attributed in the supplied record. Chrome release notes often suppress bug detail until patch adoption is high, so researcher attribution may lag.
04 · The Call

noisgate verdict.

Final Verdict
DOWNGRADED to LOW (3.7/10)

The decisive factor is attacker position: AV:L makes this a post-foothold mobile exploit, not an initial-access path into your environment. Once you combine that with Android-only scope, required user interaction, and no exploitation signal, this stops being a fleet-wide priority-one patch event.

HIGH Downgrade from vendor HIGH based on local-only attacker requirement
MEDIUM Assessment of real-world exploitability without public PoC details

Why this verdict

  • Start at vendor 7.8/HIGH because memory corruption with possible arbitrary code execution in a widely deployed engine is never harmless
  • Downshift for attacker position: AV:L means the attacker already needs a foothold on the Android device, which implies a prior compromise stage or local app placement
  • Downshift for interaction and population: UI:R plus Android-only WebView scope narrows the reachable population far below a remotely reachable desktop Chrome bug
  • Downshift for threat evidence: no KEV listing, no public exploit found in review, and the supplied EPSS 0.00009 all point to weak real-world exploitation pressure

Why not higher?

This is not an internet-edge issue and not even a standard remote client bug. To matter, the attacker must already be on the handset or get a malicious app onto it, then still rely on a WebView interaction path and exploit stability on modern Android builds.

Why not lower?

It is still arbitrary code execution from a memory-corruption flaw in a ubiquitous mobile rendering component. If you do operate a large managed Android estate with permissive app installation or risky in-app WebView usage, it deserves patching and version hygiene rather than dismissal.

05 · Compensating Control

What to do — in priority order.

  1. Block sideloading where possible — Use MDM/EMM policy to restrict unknown sources, third-party app stores, and unmanaged app install paths. For a LOW verdict there is no mitigation SLA, so treat this as backlog hygiene and apply it in your normal mobile-hardening cycle; it directly attacks the biggest prerequisite in this chain: local foothold.
  2. Enforce managed app allowlists — Keep only approved business apps on corporate Android devices and require Play Protect or equivalent mobile threat defense. For this verdict there is no mitigation SLA, so fold it into routine mobile compliance enforcement and use it to reduce the chance an attacker can plant the malicious local app needed to reach the bug.
  3. Inventory actual WebView provider versions — Do not rely on Android OS version alone; identify whether the active WebView provider is Chrome or Android System WebView and collect the exact installed version. There is no mitigation SLA here, but this check should be part of your next mobile exposure review because vulnerable and patched states can diverge across OEMs.
  4. Prefer external browser over embedded WebView for risky flows — For enterprise apps under your control, move high-risk auth and untrusted web content out of embedded WebView and into the platform browser where feasible. There is no mitigation SLA for LOW, so handle this as application hardening work, not emergency response.
What doesn't work
  • A perimeter WAF does not help because the vulnerable surface is a local mobile rendering component, not your web server.
  • Desktop Chrome patching alone is irrelevant for this CVE because the issue is scoped to Chrome/WebView on Android.
  • Network vulnerability scans will mostly miss it; they can inventory versions only if your MDM exposes package telemetry, but they cannot prove exploitability on-device.
06 · Verification

Crowdsourced verification payload.

Run this from an auditor workstation with adb installed against a USB-connected or enterprise-debuggable Android device. Invoke it as ./check_cve_2026_11072.sh <device-serial> or ./check_cve_2026_11072.sh for the only attached device; it needs adb access, but not root.

noisgate-verify.sh
BASHREAD-ONLYSAFE
#!/usr/bin/env bash
# check_cve_2026_11072.sh
# Verify whether an Android device is vulnerable to CVE-2026-11072 by checking
# the active WebView provider and common Chrome/WebView package versions.
# Exit codes:
#   0 = PATCHED
#   1 = VULNERABLE
#   2 = UNKNOWN / usage / adb failure

set -euo pipefail

FIXED_VERSION="149.0.7827.53"
SERIAL="${1:-}"
ADB=(adb)
if [[ -n "$SERIAL" ]]; then
  ADB+=( -s "$SERIAL" )
fi

fail_unknown() {
  echo "UNKNOWN: $1"
  exit 2
}

have_cmd() {
  command -v "$1" >/dev/null 2>&1
}

version_ge() {
  # returns 0 if $1 >= $2
  local a="$1" b="$2"
  if [[ "$a" == "$b" ]]; then
    return 0
  fi
  local first
  first=$(printf '%s\n%s\n' "$a" "$b" | sort -V | head -n1)
  [[ "$first" == "$b" ]]
}

get_pkg_ver() {
  local pkg="$1"
  "${ADB[@]}" shell dumpsys package "$pkg" 2>/dev/null | awk -F= '/versionName=/{print $2; exit}' | tr -d '\r'
}

if ! have_cmd adb; then
  fail_unknown "adb is not installed"
fi

STATE=$("${ADB[@]}" get-state 2>/dev/null || true)
if [[ "$STATE" != "device" ]]; then
  fail_unknown "no reachable adb device"
fi

# Try to identify the active WebView provider.
CURRENT_PROVIDER=$("${ADB[@]}" shell cmd webviewupdate getCurrentWebViewPackage 2>/dev/null | tr -d '\r' || true)
CURRENT_PROVIDER_PKG=$(printf '%s' "$CURRENT_PROVIDER" | sed -n 's/^[[:space:]]*Current WebView package (name, version):[[:space:]]*\([^[:space:]]*\).*/\1/p')
CURRENT_PROVIDER_VER=$(printf '%s' "$CURRENT_PROVIDER" | sed -n 's/^[[:space:]]*Current WebView package (name, version):[[:space:]]*[^[:space:]]*[[:space:]]\([^[:space:]]*\).*/\1/p')

# Fallback package checks.
CHROME_VER=$(get_pkg_ver com.android.chrome || true)
GOOGLE_WEBVIEW_VER=$(get_pkg_ver com.google.android.webview || true)
AOSP_WEBVIEW_VER=$(get_pkg_ver com.android.webview || true)

BEST_NAME=""
BEST_VER=""

if [[ -n "$CURRENT_PROVIDER_PKG" && -n "$CURRENT_PROVIDER_VER" ]]; then
  BEST_NAME="$CURRENT_PROVIDER_PKG"
  BEST_VER="$CURRENT_PROVIDER_VER"
fi

for candidate in \
  "com.android.chrome:$CHROME_VER" \
  "com.google.android.webview:$GOOGLE_WEBVIEW_VER" \
  "com.android.webview:$AOSP_WEBVIEW_VER"
 do
  NAME="${candidate%%:*}"
  VER="${candidate#*:}"
  [[ -z "$VER" ]] && continue
  if [[ -z "$BEST_VER" ]] || version_ge "$VER" "$BEST_VER"; then
    BEST_NAME="$NAME"
    BEST_VER="$VER"
  fi
 done

if [[ -z "$BEST_VER" ]]; then
  fail_unknown "could not determine Chrome/WebView package version"
fi

echo "Detected provider/package: ${BEST_NAME:-unknown}"
echo "Detected version: $BEST_VER"
echo "Fixed version threshold: $FIXED_VERSION"

if version_ge "$BEST_VER" "$FIXED_VERSION"; then
  echo "PATCHED"
  exit 0
else
  echo "VULNERABLE"
  exit 1
fi
07 · Bottom Line

If you remember one thing.

TL;DR
Monday morning, do not treat this like a top-of-queue Chrome emergency unless you run a materially large managed Android estate with weak app-install controls. For a LOW verdict there is noisgate mitigation SLA and noisgate remediation SLA beyond backlog hygiene, so go straight to normal mobile-client maintenance: inventory Android devices using vulnerable Chrome/WebView providers, fold updates to 149.0.7827.53+ into the next scheduled mobile patch wave, and use the same cycle to tighten sideloading and app allowlist policy where those controls are still loose.

Sources

  1. Chrome Releases: Chrome for Android Update
  2. Chrome Releases: Early Stable Update for Desktop
  3. Chrome 149 release notes
  4. Android Developers: WebView API reference
  5. Android Developers: Security checklist
  6. CISA Known Exploited Vulnerabilities Catalog
  7. FIRST EPSS API documentation
  8. GovCERT.HK alert on Chrome 149 vulnerabilities
Peer Review

What defenders are saying.

Submit a review attribution: handle + country only
0 flags selected · stored anonymously
Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.