CVE-2026-6358
Google · Chrome for Android
A use-after-free vulnerability in the XR component of Google Chrome on Android may lead to memory corruption and potential code execution.
Executive summary
A critical use-after-free vulnerability in the XR component of Google Chrome for Android exposes mobile devices to potential remote code execution attacks.
Vulnerability
This is a use-after-free vulnerability located within the XR (Extended Reality) component of the browser. An unauthenticated attacker could trigger this flaw by enticing a user to visit a malicious site, leading to memory corruption.
Business impact
Exploitation of this vulnerability could allow an attacker to execute arbitrary code within the context of the browser, potentially leading to unauthorized access to sensitive user data on the mobile device. With a CVSS score of 8.8, this flaw represents a high risk to organizational mobile security and data privacy.
Remediation
Immediate Action: Update Google Chrome for Android to version 147 or the latest available release via the Google Play Store.
Proactive Monitoring: Review mobile device management (MDM) logs for users running outdated versions of the browser and enforce mandatory update policies.
Compensating Controls: Utilize mobile threat defense (MTD) solutions to identify and block connections to malicious domains that may attempt to exploit browser-based vulnerabilities.
Exploitation status
Public Exploit Available: false
Analyst recommendation
Mobile devices are frequently overlooked in patch management cycles, increasing the risk of exploitation. Administrators must ensure that all Android devices in the corporate fleet receive the necessary Chrome updates to remediate this high-severity security gap.