Google Chrome (Android), Use‑After‑Free, CVE‑2026‑11010 (Medium) -DC-Jun2026-269

By /

Listen to this Post

CVE‑2026‑11010 describes a use‑after‑free flaw in the WebShare component of Google Chrome on Android. This vulnerability allows a remote attacker who has already compromised the browser’s renderer process to escape the sandbox by loading a specially crafted HTML page.
At the core of the issue is how the Android WebShare API handles share requests. The renderer process (which parses and executes web content) sends a share request containing a target URL to the browser’s privileged Java code. In vulnerable versions, the URL scheme was not explicitly validated before being processed. An attacker with control over the renderer can craft a request that causes the browser to prematurely free a memory object that is later reused (use‑after‑free). Specifically, if the share URL uses a disallowed scheme such as `javascript:` or any other non‑HTTP/S scheme, the Java layer does not reject the request outright. Instead, the pointer to that URL remains accessible after the object has been freed, leading to a use‑after‑free condition.
Because the renderer runs inside a sandbox, the initial compromise is not sufficient to break out of the browser. However, the use‑after‑free in WebShare can be abused to overwrite critical function pointers or return addresses. By carefully controlling the freed memory, the attacker can redirect execution to arbitrary code outside the sandbox, thus achieving a full sandbox escape. This technique leverages the fact that the freed object’s memory region may later be allocated for other purposes, allowing the attacker to manipulate its contents.
The patch, introduced in Chrome 149.0.7827.53, adds explicit validation of the share URL’s scheme in ShareServiceImpl.java. If the scheme is not `http:` or https:, the request is rejected with ShareError.PERMISSION_DENIED, and the offending renderer is terminated (RFH_INVALID_WEB_SHARE). This prevents any compromised renderer from passing arbitrary or malicious URL schemes to the privileged Java code, closing the use‑after‑free vector. The fix also includes additional unit tests to verify the new validation.
This vulnerability is classified as CWE‑416 (Use After Free). Its official Chromium severity is Medium, but the CVSS 3.1 score is 8.3 (HIGH), reflecting the potential for high impact on confidentiality, integrity, and availability despite the relatively complex attack prerequisites (network access, high attack complexity, and user interaction required).

DailyCVE Form:

Platform: `Android`
Version: `<149.0.7827.53` Vulnerability : `Use‑After‑Free` Severity: `Medium/8.3` date: `2026‑06‑04`

Prediction: `2026‑06‑04 (already patched)`

What Undercode Say:

Check installed Chrome version on Android (via adb)
adb shell dumpsys package com.android.chrome | grep versionName
Search for WebShare related crash logs
adb logcat | grep -E "WebShare|ShareServiceImpl"
Verify patch status (build 149.0.7827.53 or higher)
adb shell pm dump com.android.chrome | grep "versionCode=149.0.7827.53"

Exploit:

  1. Attacker compromises the Chrome renderer process via a different vulnerability (e.g., V8 RCE).
  2. From the compromised renderer, attacker calls the WebShare API with a target URL that uses a disallowed scheme (e.g., javascript:alert(1)).
  3. The renderer sends a `ShareRequest` to the privileged Java layer without proper scheme validation.
  4. The Java layer creates an object representing the URL and then prematurely frees it.
  5. The attacker triggers a use‑after‑free by reallocating the freed memory with attacker‑controlled data, overwriting function pointers or return addresses.
  6. The browser later uses the corrupted pointer, redirecting execution to shellcode that performs a sandbox escape.

Protection:

  • Upgrade Google Chrome on Android to version 149.0.7827.53 or later.
  • Disable or restrict the WebShare feature via Chrome policies (WebShareApiEnabled set to false).
  • Use endpoint detection software that monitors for abnormal renderer‑to‑browser IPC messages.
  • Keep Android OS and all other applications fully updated to reduce the likelihood of renderer compromise.

Impact:

A successful sandbox escape allows the attacker to execute arbitrary code outside the browser’s restricted environment, potentially with the same privileges as the browser application. This can lead to full device compromise, including data theft, installation of persistent malware, and remote control of the affected Android device.

🎯Let’s Practice Exploiting & Learn Patching For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top