PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-11165 Google CVE debrief

CVE-2026-11165 is a use-after-free vulnerability in WebMIDI in Google Chrome on iOS prior to version 149.0.7827.53. This vulnerability, with a CVSS score of 9.6, could allow a remote attacker to potentially perform a sandbox escape via a crafted HTML page. The vulnerability was published on [cve-org](https://www.cve.org/CVERecord?id=CVE-2026-11165) and detailed further on [nvd](https://nvd.nist.gov/vuln/detail/CVE-2026-11165).

Vendor
Google
Product
Chrome
CVSS
CRITICAL 9.6
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-04
Original CVE updated
2026-06-09
Advisory published
2026-06-04
Advisory updated
2026-06-09

Who should care

Users of Google Chrome on iOS, particularly those who may be targeted by remote attackers, should be aware of this vulnerability. IT administrators and security teams should prioritize patching to version 149.0.7827.53 or later.

Technical summary

The vulnerability is a use-after-free issue in WebMIDI, a component of Google Chrome. This type of vulnerability occurs when the program attempts to use memory after it has been freed, potentially leading to arbitrary code execution. In this case, the vulnerability is particularly severe because it could allow a remote attacker to escape the sandbox, which is a critical security feature of modern web browsers.

Defensive priority

High

Recommended defensive actions

  • Update Google Chrome on iOS to version 149.0.7827.53 or later.
  • Ensure that all users of Google Chrome on iOS are aware of the update and apply it as soon as possible.

Evidence notes

The CVE was published on June 4, 2026, and modified on June 9, 2026. The vulnerability has been analyzed and has a CVSS score of 9.6, indicating a critical severity level.

Official resources

This debrief is based on information from official sources and is intended for defensive purposes only.