Google Chrome for iOS: Batch of 10 Vulnerabilities Disclosed, Including High-Severity Use-After-Free Flaws
Google patched ten vulnerabilities in Chrome for iOS on June 4-5, 2026, including critical use-after-free bugs allowing arbitrary code execution.
Key findings
- Ten vulnerabilities disclosed for Google Chrome for iOS between June 4-5, 2026.
- Includes four high or critical severity 'use after free' vulnerabilities.
- Critical flaws could allow remote attackers to execute arbitrary code.
- All disclosed vulnerabilities patched in Chrome for iOS version 149.0.7827.53.
- Batch includes medium and low severity issues affecting policy enforcement and UI spoofing.
On June 4th and 5th, 2026, Google disclosed a batch of ten vulnerabilities affecting Google Chrome for iOS. The disclosures, spanning a one-hour window, include several high-severity flaws, notably multiple 'use after free' vulnerabilities that could allow remote attackers to execute arbitrary code.
The most critical issues, rated High and Critical by Chromium security standards, are concentrated in 'use after free' vulnerabilities. CVE-2026-10958 and CVE-2026-10885, both rated Critical, and CVE-2026-10952 and CVE-2026-10952, rated High, could permit remote attackers to execute arbitrary code or exploit heap corruption via crafted HTML pages. These vulnerabilities were fixed in Chrome for iOS version 149.0.7827.53.
Beyond the critical memory corruption bugs, the batch also includes medium-severity issues. CVE-2026-11205, an 'inappropriate implementation' vulnerability, could lead to arbitrary script or HTML injection via a crafted QR code, requiring user interaction. Another medium-severity flaw, CVE-2026-11214, an 'inappropriate implementation' in Chrome for iOS, could allow a remote attacker to leak cross-origin data through a crafted HTML page.
Several low-severity vulnerabilities were also part of this disclosure. These include issues related to 'insufficient policy enforcement' and 'inappropriate implementation,' potentially allowing for bypasses of discretionary access control or the same-origin policy, as seen in CVE-2026-11302, CVE-2026-11277, and CVE-2026-11298. Additionally, CVE-2026-11285, an 'inappropriate implementation,' could enable UI spoofing.
All ten vulnerabilities were addressed in Google Chrome for iOS version 149.0.7827.53. Users are strongly advised to update their Chrome browser to the latest version to mitigate these security risks. The rapid disclosure and patching cycle highlights Google's ongoing efforts to secure its browser against emerging threats.
This coordinated disclosure event underscores the importance of timely patching for widely used applications like Google Chrome. The presence of critical vulnerabilities, even in a mobile-specific version, necessitates vigilance from users and administrators alike. While many of the disclosed issues were low-severity, the inclusion of high and critical flaws warrants immediate attention.