CVE-2026-10887: Critical Chrome Chromoting Use-After-Free RCE on macOS
A use-after-free flaw in Chrome's Chromoting remote desktop feature on macOS allows attackers to execute arbitrary code by sending specially crafted network traffic. The vulnerability exists in versions prior to 149.0.7827.53 and requires no user interaction—an attacker on the network can trigger the bug remotely, making this a critical threat to any Mac user running an affected Chrome version.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.1 HIGH · CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-416
- Affected products
- 2 configuration(s)
- Published / Modified
- 2026-06-04 / 2026-06-17
NVD description (verbatim)
Use after free in Chromoting in Google Chrome on Mac prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code via malicious network traffic. (Chromium security severity: Critical)
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-10887 is a use-after-free vulnerability (CWE-416) in the Chromoting module of Google Chrome on macOS. Chromoting is Chrome's remote desktop protocol implementation. The flaw permits a remote unauthenticated attacker to cause a memory corruption condition by sending malicious network traffic, leading to arbitrary code execution in the context of the browser process. The vulnerability has a CVSS v3.1 score of 8.1 (HIGH severity) with a network-based attack vector, high complexity, no privileges required, and no user interaction needed. While Chromium has assigned it Critical severity internally, the CVSS rating reflects the high exploitability and impact potential.
Business impact
Successful exploitation enables full code execution within the Chrome browser process, potentially allowing attackers to steal sensitive data, install malware, access locally cached credentials, or pivot to adjacent systems. Given that Chromoting is commonly used for remote IT support and administrative access, compromise could extend beyond the immediate workstation to trusted systems. Organizations relying on Chrome for remote work or remote desktop access face elevated risk. The 'no user interaction' requirement means users cannot be socially engineered into clicking a link—passive network exposure is sufficient.
Affected systems
Google Chrome on Apple macOS versions prior to 149.0.7827.53 are affected. macOS itself is listed as an affected product, though the vulnerability is specific to Chrome running on macOS; macOS versions themselves do not require patching. Any organization or individual running Chrome on a Mac with a version number below 149.0.7827.53 should be considered at risk.
Exploitability
The vulnerability requires network access but no authentication or user interaction, making it readily exploitable by a remote attacker. However, the CVSS 'high complexity' rating suggests the attack is non-trivial—the attacker must craft specific malicious network traffic to trigger the use-after-free condition. The lack of public exploit code and the absence of KEV (Known Exploited Vulnerability) status as of the data snapshot indicate active in-the-wild exploitation has not yet been confirmed, but the attack surface is broad since any networked Mac running Chrome is potentially vulnerable during Chromoting sessions or related network activity.
Remediation
Update Google Chrome on macOS to version 149.0.7827.53 or later immediately. This is a priority patch addressing a critical remote code execution flaw. Users should enable automatic updates if not already active. Verify the installed version via Chrome menu > About Google Chrome, which will display the current version and trigger an update check if needed. No workarounds are available for this use-after-free bug; patching is the only mitigation.
Patch guidance
Deploy Chrome version 149.0.7827.53 or later on all affected macOS systems. Google Chrome's auto-update mechanism will push this patch automatically to users, but organizations with managed Chrome deployments should verify rollout completion within 48–72 hours of availability. For macOS systems managed via MDM or custom configurations, confirm that update policies allow or enforce installation of this version. If Chrome instances are pinned to older versions for compatibility reasons, risk acceptance should be documented and escalated to leadership given the Critical severity rating.
Detection guidance
Monitor Chrome process version strings across your macOS fleet to identify systems still running versions below 149.0.7827.53. Endpoint detection and response (EDR) tools should be tuned to flag any unusual memory corruption crashes in Chrome or suspicious child process spawning from the browser. Network-based detection is limited since the malicious traffic would need deep packet inspection of Chromoting protocol streams; focus detection efforts on host-level signals such as unexpected code execution from chrome.exe or chrome helper processes. Log Chrome update events to verify timely patching compliance.
Why prioritize this
This vulnerability merits immediate patching priority due to its network-exploitable remote code execution capability, the 'no user interaction' requirement, high attack surface (any Mac running Chrome), and Chromium's Critical severity classification. Although not yet in the KEV catalog, the combination of high CVSS score and ease of triggering makes it a prime target for threat actors. Organizations should treat this as a zero-day equivalent and prioritize deployment within 24–48 hours.
Risk score, explained
The CVSS 8.1 (HIGH) score reflects a remote network attack requiring no privileges or user interaction, but with high attack complexity. The severity is constrained from CRITICAL to HIGH due to the complexity requirement—the attacker cannot trivially exploit this via a single malformed packet but must precisely craft network traffic to trigger the memory corruption. However, given Chromium's internal Critical rating and the broad attack surface, the practical risk is elevated; organizations should treat this as effectively critical and patch accordingly.
Frequently asked questions
Do I need to update macOS itself, or just Chrome?
Only Chrome requires updating. macOS is listed as an affected product because the vulnerability manifests on that OS, but there is no macOS patch required. Update Chrome on your macOS system to version 149.0.7827.53 or later.
What is Chromoting and why does this matter?
Chromoting is Chrome's remote desktop feature, allowing users to share and access their desktop remotely. If an attacker exploits this vulnerability via malicious network traffic, they can execute arbitrary code on your machine even without direct user action, potentially compromising sensitive data or enabling further attacks on your network.
Is this vulnerability currently being exploited in the wild?
As of the latest data, this vulnerability has not been added to the CISA KEV (Known Exploited Vulnerability) catalog, suggesting active in-the-wild exploitation has not yet been publicly confirmed. However, the low attack complexity and high impact make it an attractive target, so assume exploitation is possible and patch immediately.
Can I disable Chromoting to mitigate this risk before updating?
While disabling Chromoting would reduce attack surface, it is not a substitute for patching. The vulnerability is in the Chromoting code itself, and the safest approach is to update Chrome to the patched version. If you must delay patching, consult your security team about disabling remote desktop features as a temporary measure.
This analysis is provided for informational purposes and represents the state of threat intelligence as of the data publish date. Patch version numbers, CVSS scores, and KEV status should be verified against official Google Chrome security advisories and CISA databases before making patching decisions. Organizations should conduct internal risk assessments based on their Chrome deployment scope and network environment. SEC.co does not provide guarantee of exploit availability or in-the-wild prevalence; threat actors' adoption timeline may vary. Always test patches in non-production environments before enterprise-wide deployment. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10001HIGHChrome Sandbox Escape via PerformanceManager Use-After-Free
- CVE-2026-10002HIGHGoogle Chrome PDFium Use-After-Free Vulnerability (CVSS 8.8)
- CVE-2026-10003HIGHChrome Use-After-Free Code Execution Vulnerability Analysis
- CVE-2026-10005HIGHChrome macOS Use-After-Free RCE Vulnerability (7.5 CVSS)
- CVE-2026-10007HIGHChrome Use-After-Free in SVG Arbitrary Code Execution (CVSS 8.8)
- CVE-2026-10012HIGHChrome Skia Use-After-Free Sandbox Escape (v148.0.7778.216)
- CVE-2026-10013HIGHUse-After-Free in Chrome WebCodecs – Patch Guide & Risk Assessment
- CVE-2026-10016HIGHUse-After-Free in Chrome DOM – Sandbox Code Execution Vulnerability