HIGH 8.8

CVE-2026-10890: Chrome Cast Use-After-Free Heap Corruption Vulnerability

Google Chrome contains a use-after-free vulnerability in its Cast functionality that could allow an attacker on your local network to corrupt the browser's memory and potentially execute malicious code. The flaw affects Chrome versions prior to 149.0.7827.53 and requires no user interaction to trigger—an attacker simply needs to send specially crafted network traffic to exploit it. This is a local network attack vector, meaning the attacker must be on the same network segment as the target system.

Source data · NVD / CISA · public domain

CVSS
3.1 · 8.8 HIGH · CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-416
Affected products
4 configuration(s)
Published / Modified
2026-06-04 / 2026-06-17

NVD description (verbatim)

Use after free in Cast in Google Chrome prior to 149.0.7827.53 allowed an attacker on the local network segment to potentially exploit heap corruption via malicious network traffic. (Chromium security severity: Critical)

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-10890 is a use-after-free vulnerability (CWE-416) in Google Chrome's Cast implementation. The vulnerability allows heap corruption when the Cast subsystem fails to properly manage object lifecycle, leaving freed memory references that can be exploited via malicious network packets. The attack requires network adjacency (CVSS vector AV:A) but no authentication, user action, or system compromise prerequisites. The vulnerability impacts confidentiality, integrity, and availability of the affected process. Google rated this Critical severity in their Chromium security classification, and it affects Chrome on Windows, macOS, and Linux distributions.

Business impact

Compromised Chrome browsers can leak sensitive user data (browsing history, cached credentials, form data), be used to pivot laterally within corporate networks, or serve as a beachhead for further attacks. In enterprise environments, this is particularly dangerous because Cast functionality is often enabled by default and frequently used on shared networks (office WiFi, conference room displays). An attacker could silently compromise multiple employee machines on the same network segment without user awareness, creating supply-chain or espionage risks.

Affected systems

Google Chrome (all versions before 149.0.7827.53) running on Windows, macOS, and Linux systems is affected. The vulnerability is specifically in the Cast component, which is a core Chrome subsystem. Users running Chrome 149.0.7827.53 or later are not affected. This includes Chromium-based browsers that incorporate this version of Cast.

Exploitability

Exploitability is moderate in most environments because the attacker must reside on the same local network segment—they cannot attack across the internet. However, in corporate environments with multiple users on shared WiFi, conferences with guest networks, or home networks with smart home devices and multiple computers, the attack surface can be significant. No user interaction is required; the victim's browser simply needs to be running on the vulnerable network. Active exploitation is not currently documented as widespread (not on CISA KEV list as of publication), but the attack is technically straightforward once an attacker has network position.

Remediation

Update Google Chrome to version 149.0.7827.53 or later immediately. On Windows and macOS, use Settings > About to trigger automatic updates or download the latest version from google.com/chrome. Linux users should update via their distribution's package manager. Verify the update with Settings > About > Google Chrome to confirm the version number has advanced beyond the vulnerable threshold. Consider temporarily disabling Cast on Chrome in high-risk environments if immediate patching is not feasible (Chrome menu > Settings > Privacy and security > Site Settings > Additional content settings > Cast).

Patch guidance

Google has released Chrome 149.0.7827.53 as the fixed version. The update is typically rolled out gradually but can be forced by navigating to Settings > About > Google Chrome, which checks for updates immediately. Organizations using Chrome policy can enforce the minimum version via enterprise policy (update the Chrome MSI/DMG or use ChromeOS management console). Test the update in a pilot group before full rollout to ensure compatibility with internal extensions or custom builds. Verify the update completed successfully by checking chrome://version to ensure you are running 149.0.7827.53 or a later build number.

Detection guidance

Monitor network traffic for suspicious Cast protocol activity originating from unexpected sources on your local network. Enable Chrome logging via enterprise policies to record Cast subsystem errors or crashes (chrome://crashes will show any process termination). Use endpoint detection tools to flag Chrome crash dumps with heap corruption signatures. Network-level detection is difficult without full Cast protocol inspection, so focus detection on post-exploitation signals: anomalous process spawning from Chrome, unusual outbound connections from the browser process, or unexpected memory access violations. IDS/IPS signatures specific to malicious Cast packets are not yet widely available but may be released by security vendors post-publication.

Why prioritize this

Despite a HIGH CVSS score (8.8) and Critical Chromium rating, prioritize this as urgent but not a tier-1 emergency in most organizations because the local network requirement significantly constrains attack scenarios. However, prioritize immediately in: (1) environments with hostile actors on shared networks (universities, public WiFi providers), (2) organizations expecting APT targeting, (3) systems handling highly sensitive data, or (4) remote work environments where personal devices join corporate networks. The lack of KEV listing and active exploitation reports means you have a brief window to patch before weaponization is likely.

Risk score, explained

The CVSS 3.1 score of 8.8 (HIGH) reflects critical impact (full confidentiality, integrity, and availability compromise) but is moderated by the network adjacency requirement (AV:A). In an open office or conference environment, this becomes a 9.0+; in an air-gapped lab, it becomes a 4.0. The score accurately captures the maximum damage potential (heap corruption leading to code execution) but does not fully reflect the reduced attack surface compared to remote vulnerabilities. Use this score as a baseline and adjust organizational risk based on your actual network architecture and threat model.

Frequently asked questions

Do I need to worry about this if I'm not on the same network as an attacker?

Correct—you are not at direct risk from this vulnerability if you are isolated on a different network segment or behind a NAT/firewall that prevents local network communication from untrusted sources. However, if you use VPN, remote desktop, or connect to public WiFi, you should assume you could share a network segment with a potential attacker.

Does disabling Cast completely eliminate the risk?

Yes. Disabling Cast in Chrome settings (Privacy and security > Site Settings > Additional content settings > Cast) removes the vulnerable code path from the attack surface. However, updating is the preferred remediation because Cast is a legitimate feature and disabling it is a workaround, not a solution.

Is there a patch for older Chrome versions, or do I have to upgrade to 149?

Google does not backport security fixes to older major versions. You must update to Chrome 149.0.7827.53 or later. If your system cannot run the latest Chrome (e.g., very old OS), you should isolate that system or switch browsers.

Can this vulnerability be exploited remotely over the internet?

No. The CVSS vector explicitly requires network adjacency (AV:A), meaning the attacker must be on the same local network segment. This cannot be exploited from the public internet. However, an attacker who has compromised another device on your network (e.g., a printer, IoT device, or guest device) could exploit this.

This analysis is based on publicly available information current as of the vulnerability publication date. CVSS scores and severity ratings are provided by Google and NVD and represent maximum impact in worst-case scenarios. Actual risk to your organization depends on network topology, threat model, and deployment context. Patch version numbers and availability should be verified directly with Google's security advisory and your internal deployment systems. This report does not constitute legal or compliance advice. Consult with your security team, vendor advisories, and industry guidance for definitive remediation timelines. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).