01 · The Real Story
This is a burglar targeting a side door that most iPhones never actually have installed
CVE-2026-11165 is a reported use-after-free in WebMIDI affecting Google Chrome on iOS before 149.0.7827.53, with the vendor describing possible sandbox escape from a crafted web page. In abstract browser-bug terms that is ugly: remote delivery, no prior auth, and memory corruption in a browser component is exactly the class of issue that can turn into code execution or a privilege boundary bypass.
In practice, the vendor's CRITICAL 9.6 overstates enterprise risk for normal iOS fleets. Chrome on iOS is generally constrained by Apple's WebKit rules, and Web MIDI is not supported on Safari/iOS WebKit, which means the named feature path is largely non-reachable in standard App Store deployments. Add the need for user interaction and the fact this is a client-side mobile-app issue with no internet-exposed service footprint, and this falls from emergency patching into backlog hygiene unless you have niche alternative-browser-engine pilots or regional exceptions.
"High theoretical impact, but the iOS attack path is mostly a dead feature path, not a fleet emergency."
02 · The Attack Path
4 steps from start to impact.
STEP 01
Land the victim on attacker-controlled web content
The attacker needs the user to open a crafted page in Chrome on iOS, typically via phishing, malvertising, or a poisoned link. The nominal weaponized primitive is ordinary web content plus JavaScript delivered over HTTPS.
Conditions required:
- User has Chrome installed on iPhone or iPad
- User opens the attacker-controlled page
- The page is allowed to execute client-side script
Where this breaks in practice:
- This is UI:R; there is no unauthenticated server-side reachability
- Enterprise mobile fleets often reduce link-open rates with Safe Browsing, MTD, and managed browser defaults
Detection/coverage: Email/web gateways may catch the lure, but vulnerability scanners do not meaningfully detect this attack precondition because it is a client-side browsing event.
STEP 02
Reach the WebMIDI code path with navigator.requestMIDIAccess()
A browser exploit would normally exercise the vulnerable feature by calling the Web MIDI API, specifically
navigator.requestMIDIAccess(), and then driving malformed object lifetime transitions. This is the decisive friction point: Safari on iOS does not support Web MIDI, and standard Chrome on iOS inherits the platform browser-engine constraints in most deployments.Conditions required:
- The browser build actually exposes Web MIDI on iOS
- The page can invoke the Web MIDI API successfully
- Any required secure-context and permission gating is satisfied
Where this breaks in practice:
- According to browser compatibility data, Safari on iOS does not support Web MIDI
- Apple App Store rules generally require iOS browsers to use WebKit unless special alternative-engine entitlements apply
- This makes the named vulnerable feature path likely dead-by-default for most enterprise iPhones
Detection/coverage: Traditional vuln scanners usually miss this kind of feature-level reachability issue; this is a manual assessment call based on platform/browser behavior.
STEP 03
Trigger the use-after-free and gain controlled corruption
If the code path is reachable, the exploit would try to free an object and then re-use stale memory to corrupt adjacent state. The weaponized technique is the classic browser-exploit pattern of heap grooming plus repeated API interactions to steer allocation timing.
Conditions required:
- The vulnerable build is present
- The exploit can reliably shape heap state on the target device
- The vulnerable WebMIDI path is reachable from untrusted content
Where this breaks in practice:
- iOS browser exploitation is reliability-sensitive and device-version sensitive
- No public PoC or in-the-wild exploitation evidence was located in the cited sources
- Without feature reachability, this step never starts
Detection/coverage: EDR coverage on iOS is limited compared with desktop; practical detection comes more from crash telemetry and mobile threat defense than from host exploit signatures.
STEP 04
Chain memory corruption into a sandbox escape
The vendor description says the end state is a potential sandbox escape, which implies the memory corruption must be promoted into a privilege-boundary bypass. That is a much narrower and more expensive outcome than simple renderer compromise, especially on iOS where app and platform isolation add another barrier.
Conditions required:
- The corruption is exploitable, not just a crash
- A viable post-corruption escape path exists on the device/build
- The attacker can bypass iOS and browser isolation controls
Where this breaks in practice:
- The title itself says potentially perform a sandbox escape, not guaranteed
- iOS layering shrinks blast radius to the individual device, not a server or domain-wide foothold
- This is already post-user-click and post-feature-reachability
Detection/coverage: Mobile crash logs, anomalous browser termination patterns, and MTD telemetry are your best signals; internet-facing scanners provide no value here.
03 · Intelligence Metadata
The supporting signals.
| In-the-wild status | No confirmed active exploitation found in the cited sources; not KEV-listed. |
|---|---|
| Public PoC availability | No public PoC located in the cited sources as of this assessment. That is an inference from source review, not a proof of absence. |
| EPSS | 0.00062 from the user-supplied intel; that is extremely low. Percentile was not independently verified here. |
| KEV status | No. CISA's KEV catalog is the authoritative source for known exploitation; this CVE was not listed at assessment time. |
| CVSS vector interpretation | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H scores the *technical worst case*: remote, low complexity, user click required, and cross-scope impact. That model does not account for dead feature paths on iOS. |
| Affected versions | Per the supplied advisory text and third-party indexing, Chrome on iOS before 149.0.7827.53. |
| Fixed version | 149.0.7827.53. For iOS there are no distro backports; this is an App Store/mobile-app inventory problem. |
| Exposure / scanning reality | Shodan/Censys/FOFA are irrelevant here. This is a client-side mobile browser issue, not an internet-exposed daemon, so external scan counts do not help prioritize it. |
| Disclosure date | 2026-06-04. |
| Researcher / reporting org | Not publicly credited in the sources reviewed. Treat attribution as unknown unless the eventual CVE/CNA record adds credits. |
04 · The Call
noisgate verdict.
Final Verdict
↓ DOWNGRADED to LOW (2.8/10)
The single biggest downgrade factor is reachability: the bug is named in WebMIDI, but Web MIDI is not supported on iOS WebKit, and standard Chrome on iOS generally rides that engine policy. A CRITICAL score only makes sense if attackers can reliably hit the vulnerable feature from untrusted web content; for normal enterprise iPhone fleets, that precondition looks mostly false.
HIGH Downgrade driven by **WebMIDI not being supported on Safari/iOS WebKit**
MEDIUM Exact affected/fixed iOS app version mapping, because the public official iOS release notes located do not spell out this CVE
Why this verdict
- Vendor baseline is theoretical, not deployed reality: 9.6 assumes the vulnerable path is reachable from hostile web content and can cross a sandbox boundary.
- Attacker position is worse than the CVSS headline suggests: they still need user interaction and a victim browsing event, which already removes this from wormable, server-side urgency.
- Reachability collapses on standard iOS: Apple App Store rules keep normal iOS browsers on WebKit, and Safari on iOS does not support Web MIDI. That means the named vulnerable feature path is likely absent in the majority of enterprise deployments.
- Exposure population is narrow: this is not a VPN, gateway, or SSO edge service; it is a mobile client app on individual handsets, with no meaningful external attack-surface census.
- Modern controls add more drag: Safe Browsing, MTD, managed link handling, and user-click requirements each shave off practical exploit volume before we even get to the memory-corruption step.
- Blast radius is per-device: even in the bad case, this is about compromising a handset session, not mass compromise of a server tier or identity plane.
Why not higher?
Because the path is stacked with real-world friction: user interaction, client-side only, and most importantly a likely non-existent WebMIDI surface on standard iOS browser-engine deployments. If the named feature is not exposed, the CRITICAL browser-exploit chain is mostly academic for enterprise prioritization.
Why not lower?
I am not calling this IGNORE because the vendor still shipped a fix for a memory-safety bug with potential sandbox escape impact, and Apple now has limited regional/entitlement-based paths for alternative browser engines. If you run beta channels, EU/Japan browser-engine experiments, or unmanaged mobile populations, that edge case deserves verification rather than dismissal.
05 · Compensating Control
What to do — in priority order.
- Inventory Chrome iOS versions — Pull this from MDM/mobile app inventory and identify anything below 149.0.7827.53. For a LOW verdict there is no mitigation SLA; handle it in the next normal mobile-app hygiene cycle and document any exception populations.
- Keep App Store auto-update enforcement on — For managed iPhones and iPads, use your normal MDM policy to keep Chrome updating automatically. That closes this issue without burning incident-response time; for LOW, treat it as backlog hygiene rather than an interrupt-driven change.
- Review alternative-engine pilots — If your org has any regional browser-engine pilots, beta tracks, or special entitlements that could change iOS browser feature exposure, validate those separately. That is the one scenario where this CVE could move closer to the vendor's model.
What doesn't work
- Perimeter internet scanning does not help; this is a client-side mobile browser flaw, not an exposed service.
- A WAF does not materially reduce fleet risk here because the exploit is delivered to end-user browsing sessions and the decisive issue is local feature reachability.
- Server-side patch SLAs are the wrong muscle memory; there is no externally reachable appliance to harden.
06 · Verification
Crowdsourced verification payload.
Run this on an auditor workstation against an exported MDM/app inventory CSV, not on the iPhone itself. Invoke it as python3 check_chrome_ios_cve_2026_11165.py inventory.csv; it needs only read access to the CSV and no endpoint admin rights. Expected columns are flexible, but the script works best with device, app or bundle_id, and version.
#!/usr/bin/env python3
# check_chrome_ios_cve_2026_11165.py
# Purpose: assess Chrome on iOS inventory for CVE-2026-11165 exposure
# Usage: python3 check_chrome_ios_cve_2026_11165.py inventory.csv
# Exit codes:
# 0 = all matching Chrome iOS entries are PATCHED
# 1 = at least one matching Chrome iOS entry is VULNERABLE
# 2 = UNKNOWN (missing data, parse issues, or no matching rows)
import csv
import re
import sys
from pathlib import Path
FIXED = (149, 0, 7827, 53)
CHROME_BUNDLES = {
'com.google.chrome.ios',
'com.google.chrome',
}
def norm(s):
return (s or '').strip()
def looks_like_chrome_ios(app, bundle):
a = norm(app).lower()
b = norm(bundle).lower()
if b in CHROME_BUNDLES:
return True
if 'chrome' in a and ('ios' in a or 'iphone' in a or 'ipad' in a):
return True
if a == 'google chrome':
return True
return False
def parse_version(v):
v = norm(v)
if not v:
return None
m = re.findall(r'\d+', v)
if not m:
return None
parts = tuple(int(x) for x in m[:4])
while len(parts) < 4:
parts = parts + (0,)
return parts
def cmp_ver(a, b):
return (a > b) - (a < b)
def pick(row, *names):
lower = {k.lower(): v for k, v in row.items()}
for name in names:
if name.lower() in lower:
return lower[name.lower()]
return ''
if len(sys.argv) != 2:
print('UNKNOWN - usage: python3 check_chrome_ios_cve_2026_11165.py inventory.csv')
sys.exit(2)
path = Path(sys.argv[1])
if not path.exists() or not path.is_file():
print(f'UNKNOWN - file not found: {path}')
sys.exit(2)
seen = 0
vuln = 0
unknown = 0
patched = 0
with path.open(newline='', encoding='utf-8-sig') as f:
reader = csv.DictReader(f)
if not reader.fieldnames:
print('UNKNOWN - CSV has no header row')
sys.exit(2)
for row in reader:
device = norm(pick(row, 'device', 'device_name', 'hostname', 'serial', 'asset')) or 'UNKNOWN_DEVICE'
app = pick(row, 'app', 'application', 'app_name', 'name')
bundle = pick(row, 'bundle_id', 'bundle', 'package', 'identifier')
version_raw = pick(row, 'version', 'app_version', 'installed_version')
if not looks_like_chrome_ios(app, bundle):
continue
seen += 1
ver = parse_version(version_raw)
if ver is None:
unknown += 1
print(f'{device}: UNKNOWN - Chrome iOS version missing or unparsable ({version_raw!r})')
continue
if cmp_ver(ver, FIXED) < 0:
vuln += 1
print(f'{device}: VULNERABLE - Chrome iOS {version_raw} < 149.0.7827.53')
else:
patched += 1
print(f'{device}: PATCHED - Chrome iOS {version_raw} >= 149.0.7827.53')
if seen == 0:
print('UNKNOWN - no Chrome iOS rows matched; verify app/bundle naming in the CSV')
sys.exit(2)
summary = f'SUMMARY matched={seen} vulnerable={vuln} patched={patched} unknown={unknown}'
print(summary)
if vuln > 0:
sys.exit(1)
elif unknown > 0:
sys.exit(2)
else:
sys.exit(0)
07 · Bottom Line
If you remember one thing.
TL;DR
Monday morning, have the mobile team pull an MDM report for Chrome on iOS and identify anything below 149.0.7827.53, but do not let this displace real edge-service or KEV work. For this LOW call there is no noisgate mitigation SLA and no noisgate remediation SLA; treat it as backlog hygiene and close it in the next routine mobile-app update wave, while separately checking any alternative-browser-engine pilots, beta channels, or regional exceptions that could make WebMIDI reachable.
Sources
Peer Review
What defenders are saying.
Submit a review
attribution: handle + country only
0 flags selected · stored anonymously
Validation Results
Crowdsourced verification outputs.
Results submitted by users who ran the verification payload against their environment.