PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-11163 Google CVE debrief

CVE-2026-11163 is a use-after-free vulnerability in the Messages feature of Google Chrome on Android versions prior to 149.0.7827.53. The vulnerability is rated as Critical with a CVSS score of 9.6. According to the Chromium security severity classification, it is considered Medium severity. A remote attacker could potentially exploit this vulnerability by crafting an HTML page, which might enable them to perform a sandbox escape.

Vendor
Google
Product
Chrome
CVSS
CRITICAL 9.6
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-04
Original CVE updated
2026-06-08
Advisory published
2026-06-04
Advisory updated
2026-06-08

Who should care

Users of Google Chrome on Android prior to version 149.0.7827.53 should update their browser to the latest version to mitigate this vulnerability. This vulnerability is particularly concerning because it could be exploited by a remote attacker to potentially escape the sandbox, which is a critical security feature of web browsers.

Technical summary

The vulnerability is caused by a use-after-free issue in the Messages feature of Google Chrome on Android. This type of vulnerability occurs when the application tries to use memory after it has been freed, which can lead to unpredictable behavior and potential exploitation. The specific details of the vulnerability are as follows: CWE-416 (Use After Free).

Defensive priority

High

Recommended defensive actions

  • Update Google Chrome on Android to version 149.0.7827.53 or later.

Evidence notes

The CVE was published on 2026-06-04T23:17:22.917Z and modified on 2026-06-08T14:33:48.840Z. The vulnerability was reported through the Chromium issue tracker (issue 502072755).

Official resources

CVE-2026-11163 was published on 2026-06-04T23:17:22.917Z and modified on 2026-06-08T14:33:48.840Z.