CVE-2026-10888: Chrome Cast Streaming Use-After-Free RCE – Urgent Patch Required
Google Chrome versions before 149.0.7827.53 contain a use-after-free memory vulnerability in the Cast Streaming feature that allows attackers on your local network to run arbitrary code on affected machines. An attacker doesn't need valid credentials or user interaction to exploit this—just the ability to send crafted network traffic to a vulnerable Chrome instance. This is a serious vulnerability because it bridges network access to code execution on systems within the same network segment.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.8 HIGH · CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-416
- Affected products
- 4 configuration(s)
- Published / Modified
- 2026-06-04 / 2026-06-17
NVD description (verbatim)
Use after free in Cast Streaming in Google Chrome prior to 149.0.7827.53 allowed an attacker on the local network segment to execute arbitrary code via malicious network traffic. (Chromium security severity: Critical)
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-10888 is a use-after-free vulnerability (CWE-416) in Google Chrome's Cast Streaming implementation. The flaw allows local network attackers to trigger memory corruption by sending specially crafted network packets, leading to arbitrary code execution with the privileges of the Chrome process. The attack vector is network-adjacent (AV:A), requires no authentication (PR:N), and needs no user interaction (UI:N), making it straightforward to exploit once an attacker gains access to the local network segment. Google assigned this a Critical severity rating in their internal assessment, reflected in the CVSS 3.1 score of 8.8 (HIGH).
Business impact
Organizations should assess this as a meaningful risk to endpoints that run Chrome on networks where an attacker might be present. The vulnerability enables lateral movement and privilege escalation within a trusted network environment—an attacker could pivot from compromising a guest device to executing code on sensitive workstations. For companies relying on Cast-enabled features or shared network spaces (conference rooms, labs, development environments), this represents a direct path to system compromise without requiring social engineering or zero-day hunting on the target machine itself.
Affected systems
The vulnerability affects Google Chrome prior to version 149.0.7827.53 across all major operating systems: Windows, macOS, Linux, and the Linux kernel. Any system running a vulnerable Chrome version that can communicate on a local network segment is at risk. Organizations should verify their Chrome deployment versions and identify machines that have not yet received the patched release.
Exploitability
Exploitation requires local network access to the target system but no authentication, valid user account, or user interaction. An attacker positioned on the same network segment—whether through a compromised device, rogue access point, or legitimate presence in a shared network environment—can trigger the vulnerability by sending malicious Cast Streaming protocol traffic. The straightforward attack surface and low prerequisites make this a practical threat in mixed-trust network environments, though it is less critical for air-gapped or tightly segmented corporate networks.
Remediation
Update Google Chrome to version 149.0.7827.53 or later on all affected systems. Organizations should prioritize patching machines on shared or untrusted networks, particularly those in high-risk areas like guest networks, conference rooms, or development labs. Verify the patch deployment using Chrome's built-in update mechanism or your organization's software management tools. For users unable to update immediately, disable Cast Streaming if it is not a required feature, or restrict local network access to trusted devices through network segmentation and firewall rules.
Patch guidance
Google has released Chrome version 149.0.7827.53 with a fix for this vulnerability. Deploy via your standard Chrome update channel—most users will receive the patch automatically through Chrome's built-in updater. In enterprise environments, verify patch deployment through your configuration management system or by checking chrome://version on target machines. If your organization uses Google Admin controls, ensure that auto-update policies are enabled or manually push the patched version. For macOS users, verify that system Chrome (if managed by your organization) or user-installed Chrome has received the update; macOS does not auto-update independently installed Chrome copies.
Detection guidance
Monitor for abnormal Cast Streaming protocol traffic on your network, particularly from unexpected sources or directed to systems that should not be using Cast features. Inspect Chrome crash reports for memory corruption signatures or heap corruption indicators that may indicate exploitation attempts. Network intrusion detection systems should flag suspicious Cast protocol activity, especially handshake anomalies or oversized/malformed payloads. On affected endpoints, look for Chrome process crashes, unexpected child process spawning, or unusual system calls following Cast Streaming traffic. If available, review Chrome's internal security logging through your enterprise monitoring infrastructure.
Why prioritize this
This vulnerability merits urgent priority because it combines low exploitation difficulty, network-adjacent attack surface, and critical impact (arbitrary code execution). Unlike many network vulnerabilities that require application-level interaction, this flaw sits in a media streaming subsystem that may be running silently in the background. The absence of KEV status does not diminish the threat; organizations should not delay patching based on public exploit availability. Prioritize systems on shared networks or with high-value data access.
Risk score, explained
The CVSS 3.1 score of 8.8 (HIGH) reflects the combination of network-adjacent attack complexity (AV:A), no authentication or user interaction required (PR:N, UI:N), and severe impact across confidentiality, integrity, and availability (C:H, I:H, A:H). While not rated CVSS 9.0+, the practical risk is elevated by the reality of local network compromise as a common attack vector and the strategic value of lateral movement within enterprise environments. The lack of KEV designation does not lower the risk; it indicates no public active exploitation has been formally documented, but internal development of exploits is possible.
Frequently asked questions
Do I need to be on the same Wi-Fi network as a vulnerable Chrome user to exploit this?
Yes, the vulnerability requires local network segment access (AV:A in CVSS terms). This includes shared Wi-Fi networks, Ethernet networks, or any Layer 2/3 boundary where the attacker can send traffic to the target. Attackers cannot exploit this over the public internet.
Will my Chrome automatically update to the patched version?
Chrome typically auto-updates in the background on Windows, macOS, and Linux. However, the update may require a browser restart to take effect. You can manually check for updates by navigating to chrome://settings/help and verifying your version matches 149.0.7827.53 or later. In enterprise environments, contact your IT team to confirm deployment status.
If I don't use Cast features, am I still at risk?
Yes. Cast Streaming may be active even if you are not actively casting content. The vulnerability exists in the underlying protocol implementation, which listens for Cast traffic by default. If your system connects to networks where an attacker might be present, disabling Cast Streaming (through policy or user settings) reduces your exposure, but patching is the recommended solution.
What should I do if I cannot update Chrome immediately?
Minimize use of Chrome on shared or untrusted networks. If possible, restrict your network access to trusted devices only, or disable Cast functionality through Group Policy (Windows) or configuration profiles (macOS/Linux). Network-level mitigations such as VLANs or firewall rules can limit local network discovery of Cast-enabled devices. However, these are interim measures; patching should be prioritized as soon as feasible.
This analysis is based on vulnerability metadata published as of the modification date (2026-06-17) and reflects the current understanding of CVE-2026-10888. Exploit code and detailed attack methodologies are not provided. Organizations should verify patch availability and deployment procedures against official Google Chrome security advisories and their vendor documentation. Network segments and trust boundaries vary by organization; local network risk should be assessed within your specific infrastructure context. This content is for informational purposes and does not constitute professional security advice. Consult with your internal security team or a qualified security professional for guidance tailored to your environment. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10001HIGHChrome Sandbox Escape via PerformanceManager Use-After-Free
- CVE-2026-10002HIGHGoogle Chrome PDFium Use-After-Free Vulnerability (CVSS 8.8)
- CVE-2026-10003HIGHChrome Use-After-Free Code Execution Vulnerability Analysis
- CVE-2026-10007HIGHChrome Use-After-Free in SVG Arbitrary Code Execution (CVSS 8.8)
- CVE-2026-10012HIGHChrome Skia Use-After-Free Sandbox Escape (v148.0.7778.216)
- CVE-2026-10013HIGHUse-After-Free in Chrome WebCodecs – Patch Guide & Risk Assessment
- CVE-2026-10016HIGHUse-After-Free in Chrome DOM – Sandbox Code Execution Vulnerability
- CVE-2026-10882HIGHCritical Chrome Use-After-Free RCE Vulnerability – Exploit Details & Patch Guidance