CVE-2026-11080 · Use after free in WebView in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker to potentially exploit heap corruptio

01 · The Real Story

This is a loose floorboard in a moving car, not a missing wheel

CVE-2026-11080 is a use-after-free in Android WebView / Chrome on Android that affects versions prior to 149.0.7827.53. A remote attacker can deliver a crafted HTML page that triggers heap corruption when rendered in a vulnerable WebView context, which means the reachable population is Android users browsing in Chrome or inside an app that embeds WebView.

paragraph 2: The raw CVSS looks scary because it models a remote browser-memory-corruption bug with no auth required, but reality is tighter. Google’s own Chromium-facing labeling for this issue is Medium, there is no KEV listing, no public exploitation evidence, no public PoC, and the description stops at heap corruption rather than demonstrating sandbox escape or reliable code execution; that combination warrants a downgrade from the 8.8-style baseline.

"Serious browser memory corruption, but the real-world chain is narrow and not yet showing attacker traction."

02 · The Attack Path

4 steps from start to impact.

STEP 01

Land the target on attacker HTML

The attacker needs the victim to open a malicious URL in Chrome for Android or an application embedding Android WebView. Weaponization here is just a crafted HTML/JavaScript page; no public exploit kit or named repo was found for this CVE at review time.

Conditions required:

Target uses Android Chrome or an app embedding vulnerable WebView
Installed version is earlier than 149.0.7827.53
Victim opens attacker-controlled web content

Where this breaks in practice:

This is UI:R; the user has to browse, click, or otherwise render attacker content
Many enterprise Android fleets restrict unmanaged browsing paths with MDM, Safe Browsing, or mobile threat defense
Exposure is limited to Android, not your whole endpoint estate

Detection/coverage: Email/web gateways, DNS filtering, Safe Browsing telemetry, and MDM browser policy logs may catch delivery. Version scanners on the internet will not.

STEP 02

Trigger the WebView use-after-free

Once the page is rendered, the attacker must hit the vulnerable object lifetime condition in WebView and shape the heap into something useful. That usually means precise timing and heap grooming, not just tossing malformed markup at the device.

Conditions required:

Vulnerable WebView code path is reachable from attacker HTML
Exploit chain can reliably groom heap state on the target build

Where this breaks in practice:

No public PoC was located, so exploit development cost is non-trivial
Android/Chromium mitigations make many memory-corruption bugs crashy rather than useful
Build, device, allocator, and app embedding differences hurt reliability

Detection/coverage: Crash telemetry is your best signal: repeated Chrome/WebView renderer crashes, ANRs, or app instability around untrusted content.

STEP 03

Turn heap corruption into execution

Heap corruption is the primitive, not the end state. The attacker still has to convert it into controlled execution or meaningful data access inside the browser/rendering context, typically with a custom exploit chain rather than an off-the-shelf tool.

Conditions required:

Corruption yields usable read/write or control-flow influence
Target-side mitigations do not collapse the chain into a crash

Where this breaks in practice:

The public description does not claim sandbox escape
Modern browser sandboxing, ASLR, CFI, and platform hardening pressure exploit reliability
Single-bug browser exploitation on Android is harder than the CVSS number suggests

Detection/coverage: If you have mobile EDR or app telemetry, look for abnormal child activity following WebView crashes; otherwise detection is weak.

STEP 04

Convert browser foothold into enterprise impact

Even if the attacker gets code execution in the renderer context, they still need a second step to leave that sandbox or steal something valuable from the active session. For enterprise risk, the decisive question is whether this bug alone gives a stable path to device takeover or tenant-wide impact; the current record does not show that.

Conditions required:

Victim is logged into valuable web apps or the exploit chain includes a follow-on escape
Attacker can monetize browser-context access on mobile

Where this breaks in practice:

This CVE alone is not documented as a sandbox escape or LPE
Blast radius is typically one user session or one device unless chained
Conditional access, app isolation, and short-lived sessions reduce payoff

Detection/coverage: Identity telemetry, session anomaly detection, and impossible-travel/token-reuse monitoring matter more than network scanners here.

03 · Intelligence Metadata

The supporting signals.

In-the-wild status	No confirmed active exploitation found at review time; PCWorld says Google reported none of the Chrome 149 patched flaws had been exploited in the wild as of 2026-06-05.
Public PoC availability	No public PoC located in normal open-source channels during review, and the referenced Chromium issue is still part of the usual restricted-detail flow.
EPSS	0.00032 from the intel you supplied — effectively very low short-term exploitation probability for a freshly disclosed client-side bug.
KEV status	Not KEV-listed. No CISA KEV catalog entry was identified for this CVE.
CVSS vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H` — the important reducer is UI:R: this is a browse-to-own problem, not a wormable daemon.
Affected versions	Google Chrome on Android / WebView prior to 149.0.7827.53 per NVD.
Fixed versions	Treat 149.0.7827.53+ as the fixed baseline for the vulnerable code path; PCWorld notes Chrome for Android rolled out as 149.0.7827.59 carrying the same security bundle.
Vendor severity mismatch	Your supplied baseline is HIGH 8.8, but both NVD and the Chrome release entry preserve Google’s Chromium security severity: Medium language for this CVE.
Scanning / exposure reality	Shodan/Censys-style internet scans are largely useless here because this is a client-side Android browser/WebView bug. Exposure must be measured from MDM/app inventory, not from perimeter scans.
Disclosure / reporter	Published 2026-06-04 in NVD; Chrome release notes show it was reported by Google on 2026-04-06.

04 · The Call

noisgate verdict.

Final Verdict

↓ DOWNGRADED to MEDIUM (6.1/10)

The decisive downgrade factor is that this is an Android-only, user-assisted, client-side memory-corruption bug with no documented sandbox escape and no active exploitation evidence. The vendor-style 8.8 framing overstates operational risk for enterprise patch queues because each prerequisite narrows the reachable population and the likely blast radius to a single mobile user/device unless chained.

HIGH Affected version range and fixed baseline

HIGH No KEV / no confirmed in-the-wild exploitation at review time

MEDIUM Real-world exploitability and post-corruption impact

Why this verdict

UI:R is a real brake — the attacker needs the user to render hostile content, which moves this out of the wormable/server-side bucket and into phishing or malvertising territory.
Android/WebView-only cuts exposed population — this is not your whole Chrome estate, only the Android slice plus apps that actually embed vulnerable WebView.
The record tops out at heap corruption — there is no public claim here of sandbox escape, privilege escalation, or reliable full-device takeover from this CVE alone.
Threat intel is cold — EPSS is tiny, there is no KEV entry, and I found no public PoC or exploitation reporting.
Google’s own Chromium label is Medium — that is a better operational anchor than blindly inheriting an 8.8-style browser CVSS.

Why not higher?

If this had active exploitation, a public exploit, or a documented sandbox escape / device compromise chain, the score would move up fast. Right now the evidence points to a technically serious bug whose practical enterprise weaponization is still gated by user interaction, Android-only reach, and missing second-stage proof.

Why not lower?

This is still remote, no-auth, browser-facing memory corruption in a mass-deployed component. If you run a sizable managed Android fleet or have line-of-business apps embedding WebView, the reachable attack surface is real enough that this does not belong in the ignore pile.

05 · Compensating Control

What to do — in priority order.

Force Chrome and WebView auto-update — Use MDM/EMM policy to require automatic updates for Chrome for Android and Android System WebView. For a MEDIUM verdict there is no mitigation SLA — go straight to the 365-day remediation window, but this is cheap hygiene and should be verified in your normal mobile compliance cycle.
Gate outdated Android browsers from access — If your conditional-access stack can read app or OS compliance state, block or step-up-auth devices still running pre-fix Chrome/WebView builds. There is no mitigation SLA for MEDIUM, so do this as a policy hardening improvement while you drive patch compliance inside the remediation window.
Prefer managed browser paths over embedded WebView — Where enterprise apps can switch from raw embedded WebView to managed browser / custom tab patterns, do it. That reduces app-specific exposure and gives you better update cadence; again, no mitigation SLA here, so fold it into app hardening rather than emergency change.
Keep URL filtering and Safe Browsing enforced — This bug still needs attacker HTML delivery, so mobile web filtering, DNS protections, and Safe Browsing remove a chunk of practical reach. They are not a substitute for the fix, but they are useful exposure reducers during the normal 365-day remediation window.

What doesn't work

A WAF does not help much here because the attack is delivered through the victim's outbound browsing session, not your inbound web apps.
Perimeter internet scanning will not tell you where you are exposed; this is a client-side Android app/browser versioning problem.
Desktop Chrome patch compliance is irrelevant to the vulnerable population if your risk sits in Android Chrome or Android System WebView.

06 · Verification

Crowdsourced verification payload.

Run this on an auditor workstation with adb installed, against a connected Android device or a device reachable through your enterprise Android management tooling. Invoke it as ./check_cve_2026_11080.sh or ./check_cve_2026_11080.sh <device-serial>; it needs adb shell access, but not root.

noisgate-verify.sh

BASHREAD-ONLYSAFE

#!/usr/bin/env bash
# check_cve_2026_11080.sh
# Determine whether an attached Android device is vulnerable to CVE-2026-11080
# by checking Chrome / Android WebView package versions.
#
# Output:
#   VULNERABLE - at least one relevant installed package is older than 149.0.7827.53
#   PATCHED    - relevant installed packages found and all are >= 149.0.7827.53
#   UNKNOWN    - adb/package info unavailable or no relevant package info could be read
#
# Exit codes:
#   0 = PATCHED
#   1 = VULNERABLE
#   2 = UNKNOWN

set -u

FIXED_VERSION="149.0.7827.53"
SERIAL_ARG="${1:-}"
ADB=(adb)

if [[ -n "$SERIAL_ARG" ]]; then
  ADB+=( -s "$SERIAL_ARG" )
fi

have_cmd() {
  command -v "$1" >/dev/null 2>&1
}

version_lt() {
  # Returns 0 if $1 < $2
  [[ "$(printf '%s\n%s\n' "$1" "$2" | sort -V | head -n1)" != "$2" ]]
}

get_version() {
  local pkg="$1"
  local out ver
  out="$(${ADB[@]} shell dumpsys package "$pkg" 2>/dev/null | tr -d '\r')" || return 1
  ver="$(printf '%s\n' "$out" | sed -n 's/.*versionName=\([^[:space:]]*\).*/\1/p' | head -n1)"
  [[ -n "$ver" ]] || return 1
  printf '%s' "$ver"
  return 0
}

if ! have_cmd adb; then
  echo "UNKNOWN - adb not installed"
  exit 2
fi

if ! ${ADB[@]} get-state >/dev/null 2>&1; then
  echo "UNKNOWN - no adb device available"
  exit 2
fi

PACKAGES=(
  "com.android.chrome"
  "com.google.android.webview"
  "com.android.webview"
)

found_any=0
vuln_any=0
report=()

for pkg in "${PACKAGES[@]}"; do
  if ver="$(get_version "$pkg")"; then
    found_any=1
    if version_lt "$ver" "$FIXED_VERSION"; then
      vuln_any=1
      report+=("$pkg=$ver (older than $FIXED_VERSION)")
    else
      report+=("$pkg=$ver")
    fi
  fi
done

if [[ "$found_any" -eq 0 ]]; then
  echo "UNKNOWN - unable to read Chrome/WebView package versions"
  exit 2
fi

if [[ "$vuln_any" -eq 1 ]]; then
  printf 'VULNERABLE - %s\n' "${report[*]}"
  exit 1
fi

printf 'PATCHED - %s\n' "${report[*]}"
exit 0

07 · Bottom Line

If you remember one thing.

TL;DR

Monday morning: pull an MDM inventory of Android devices and identify any fleet members still on Chrome / Android System WebView older than 149.0.7827.53. For a MEDIUM noisgate verdict there is no noisgate mitigation SLA — go straight to the 365-day remediation window, so this is not an all-hands fire drill; validate update enforcement this week, fold laggards into your next mobile compliance sweep, and complete the actual version remediation inside the noisgate remediation SLA of ≤365 days.

Sources

Peer Review

What defenders are saying.

Submit a review attribution: handle + country only

0 flags selected · stored anonymously

Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.