HIGH 8.8

CVE-2026-10891: Critical Use-After-Free in Google Chrome GFX on Linux

A use-after-free vulnerability in Google Chrome's graphics (GFX) component allows an attacker to corrupt Chrome's memory by tricking a user into visiting a malicious webpage. Once the memory is compromised, the attacker could read sensitive data, modify page content, or crash the browser. The issue affects Chrome on Linux systems running versions before 149.0.7827.53.

Source data · NVD / CISA · public domain

CVSS
3.1 · 8.8 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-416
Affected products
2 configuration(s)
Published / Modified
2026-06-04 / 2026-06-17

NVD description (verbatim)

Use after free in GFX in Google Chrome on Linux prior to 149.0.7827.53 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Critical)

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-10891 is a use-after-free (CWE-416) flaw in the GFX rendering engine of Chromium. The vulnerability permits an unauthenticated remote attacker to trigger heap corruption through a crafted HTML payload. When a user navigates to the malicious page in a vulnerable Chrome instance on Linux, the graphics subsystem attempts to access memory that has already been freed, creating an exploitable condition. Google rated this Critical in Chromium's severity framework, corresponding to a CVSS 3.1 score of 8.8 (High). The attack requires user interaction (visiting the page) but no elevated privileges.

Business impact

Compromise of Chrome on Linux workstations can expose sensitive user data—cached credentials, session tokens, browsing history, and documents open in the browser. For organizations where developers, researchers, or knowledge workers rely on Linux-based systems, this vulnerability increases the risk of credential theft and intellectual property leakage. The need for user interaction (clicking a link, visiting a site) makes targeted phishing campaigns a likely attack vector. Organizations should prioritize patching to reduce the window of exposure and consider user awareness training about suspicious links.

Affected systems

Google Chrome on Linux systems prior to version 149.0.7827.53 are vulnerable. The Linux kernel itself is not directly affected; the vulnerability is specific to Chrome's GFX module on that operating system. Chrome on Windows and macOS are not mentioned in this CVE. Any user running an older Chrome build on a Linux desktop, server, or container environment is at risk.

Exploitability

Exploitation is moderately straightforward: an attacker crafts a malicious HTML page and tricks a user into visiting it (via phishing, social engineering, or ad injection). No special browser extensions, prior code execution, or system compromise is required. The attack succeeds once a user opens the page—no additional clicking or configuration needed beyond normal browsing. However, successfully weaponizing the heap corruption to achieve reliable code execution or data exfiltration requires careful heap manipulation and is not trivial. The vulnerability is not currently tracked in the CISA Known Exploited Vulnerabilities (KEV) catalog, suggesting active exploitation in the wild has not yet been confirmed at scale, though this does not mean it is risk-free.

Remediation

Update Google Chrome to version 149.0.7827.53 or later on all Linux systems. Most users will receive the update automatically through Chrome's built-in auto-update mechanism, typically within days. For enterprise deployments using managed Chrome or Chromium builds, verify that your distribution channel has rolled out the patched version. If auto-update is disabled in your environment, manually trigger an update check via Chrome's Settings > About Google Chrome menu or through your MDM/configuration management tools.

Patch guidance

1. Verify current Chrome version: navigate to chrome://version/ and confirm the version number. 2. Allow automatic updates to proceed, or manually click 'Update Google Chrome' in the About menu. 3. Restart the browser to apply the patch. 4. For Linux system administrators managing Chrome enterprise deployments, consult your organization's Chrome update channel (stable, beta, dev) and ensure all endpoints are configured to pull from a patched build. Testing on a small pilot group before full rollout is recommended to catch any compatibility issues. 5. Confirm patch success by re-checking chrome://version/ and verifying the build is 149.0.7827.53 or higher.

Detection guidance

Monitor Chrome version strings across your infrastructure using endpoint detection and response (EDR) tools or device inventory systems. Alert on any Linux-based systems running Chrome versions lower than 149.0.7827.53. Network-based detection is challenging because the attack relies on user browsing behavior; however, organizations with web proxies or DNS filtering can reduce exposure by blocking known malicious domains if threat intelligence feeds identify them. Browser telemetry and crash reports may surface attempted exploits, but manual inspection is unlikely to reveal attacks before they occur. Prioritize rapid patching as the primary defense.

Why prioritize this

This vulnerability combines a critical severity rating from Google, a high CVSS score (8.8), and broad attack surface (any Linux Chrome user). While it requires user interaction and is not yet in active widespread exploitation, the ease of delivery via phishing or compromised ads and the potential for data theft make it a legitimate near-term risk. Organizations should treat this as a priority patch, especially if Linux is common in your environment. The absence from the KEV catalog suggests some time to address it, but delay is unwise given the attack surface and impact.

Risk score, explained

The CVSS 3.1 score of 8.8 reflects high impact across confidentiality, integrity, and availability (all rated High), combined with a low attack complexity and network accessibility. The presence of user interaction (UI:R) prevents a perfect 9.8+ score. The Critical rating from Google's team carries additional weight and indicates their internal assessment of real-world danger. The current lack of KEV designation is not a downgrade; it simply means no public evidence of mass exploitation has reached CISA's threshold yet. Organizations should not use this as justification for delay.

Frequently asked questions

Do I need to worry about this if I use Chrome on Windows or macOS?

No. This CVE is specific to Chrome on Linux. If your systems run Windows or macOS, you are not affected by CVE-2026-10891, though you should maintain general patching practices for other potential Chrome vulnerabilities.

Will my anti-malware or firewall stop an attack?

Not reliably. The attack is a malicious webpage, which is harder to detect at the perimeter because the HTML itself may appear legitimate. Firewall and EDR can help detect post-exploitation activity, but the best defense is keeping Chrome patched to block the initial compromise.

If I don't click any links, am I safe?

Largely yes. Since the attack requires you to visit a malicious webpage, practicing caution with links and emails reduces risk. However, malicious ads or compromised legitimate websites can also serve the payload, so patching is still the prudent approach regardless of browsing habits.

Can I disable auto-updates in Chrome for stability reasons and still be secure?

Disabling auto-updates increases your exposure window significantly. If you must disable them for compatibility testing or other reasons, establish a strict manual update schedule and verify patched versions are deployed within days of release. Using an older Chrome version on purpose is a high-risk trade-off.

This analysis is based on the official CVE record, Google's Chromium security bulletin, and CVSS scoring standards as of the publication date. Specific patch version numbers and compatibility details should be verified against Google's official Chrome release notes and your organization's testing environment. No proof-of-concept code or weaponized exploit information is provided. This explainer is for informational and defensive purposes only. Organizations are responsible for their own patch testing, deployment timelines, and risk assessment. SEC.co does not guarantee the completeness or real-time accuracy of vulnerability intelligence and recommends cross-referencing with official vendor advisories for critical decisions. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).