HIGH 8.8

CVE-2026-10893: Critical Use-After-Free in Google Chrome Chromoting Remote Desktop

A use-after-free memory vulnerability exists in Google Chrome's Chromoting remote desktop feature that could allow an attacker to run malicious code on a victim's computer through specially crafted network traffic. The flaw affects Chrome versions before 149.0.7827.53 and requires user interaction to trigger. The vulnerability has been assigned a CVSS score of 8.8 (High severity).

Source data · NVD / CISA · public domain

CVSS
3.1 · 8.8 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-416
Affected products
4 configuration(s)
Published / Modified
2026-06-04 / 2026-06-17

NVD description (verbatim)

Use after free in Chromoting in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code via malicious network traffic. (Chromium security severity: Critical)

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-10893 is a use-after-free (CWE-416) memory corruption vulnerability in Chromoting, Chrome's remote desktop component. The vulnerability stems from improper memory management where freed memory is accessed after deallocation, allowing remote code execution when a user is connected to or establishes a malicious Chromoting session. The attack vector is network-based with low attack complexity, and exploitation requires user interaction. Google classified this as Critical severity within Chromium's internal severity framework.

Business impact

Successful exploitation enables remote code execution with the privileges of the Chrome process, potentially granting attackers access to sensitive user data, credentials, browsing history, and the ability to install malware or establish persistence. Organizations relying on Chrome Remote Desktop for IT support, remote work, or system administration face elevated risk if users connect to untrusted Chromoting sessions or if attackers can intercept network traffic.

Affected systems

Google Chrome versions prior to 149.0.7827.53 on Windows, macOS, and Linux systems are affected. The vulnerability impacts Chrome on the underlying operating systems: Microsoft Windows, Apple macOS, and Linux (kernel-level systems running Chrome). Any system with Chrome installed before the patched version is potentially vulnerable.

Exploitability

This vulnerability requires network access and user interaction—specifically, the target user must establish or be involved in a Chromoting connection, either initiating a remote session or receiving an inbound connection request. An attacker cannot exploit this remotely without the user's involvement in the Chrome Remote Desktop activity. The low attack complexity and lack of privilege requirements make it moderately exploitable in targeted scenarios, though widespread drive-by exploitation is unlikely.

Remediation

Update Google Chrome to version 149.0.7827.53 or later on all affected platforms. Organizations should prioritize this patch for systems that use Chrome Remote Desktop for administrative or support functions, as well as for general user populations. Consider disabling Chromoting in Chrome if it is not actively needed in your environment.

Patch guidance

Google Chrome auto-updates by default, but verification is recommended. Users and administrators should: (1) Check Chrome version at chrome://version; (2) Ensure auto-updates are enabled in Chrome settings; (3) Manually check for updates via Menu > Help > About Google Chrome if auto-update is not occurring; (4) Force a restart of Chrome to apply pending updates. For managed deployments, verify the update has been applied through your endpoint management platform.

Detection guidance

Monitor for unusual Chromoting connection activity, particularly connections from unexpected or untrusted sources. Review Chrome Remote Desktop access logs and connection histories for anomalies. Endpoint detection and response (EDR) solutions should flag suspicious process creation or memory corruption indicators originating from Chrome. Network-based detection can identify potentially malicious Chromoting traffic by analyzing abnormal connection patterns or payloads to the Chromoting service.

Why prioritize this

Although not yet added to CISA's Known Exploited Vulnerabilities (KEV) catalog, this vulnerability merits high priority due to its Critical Chromium severity rating, direct code execution capability, and attack surface in Chrome Remote Desktop—a tool commonly used in IT operations and remote work scenarios. The CVSS 8.8 score reflects high impact across confidentiality, integrity, and availability. Organizations should treat this similarly to in-the-wild exploitation risks pending KEV confirmation.

Risk score, explained

The CVSS 3.1 score of 8.8 reflects: network-based attack vector (AV:N), low attack complexity (AC:L), no privilege escalation required (PR:N), user interaction needed (UI:R), impact limited to single user context (S:U), and high severity across all three impact categories—confidentiality, integrity, and availability (C:H/I:H/A:H). The score appropriately captures a remotely triggerable code execution flaw that requires minimal attacker effort beyond initial delivery of malicious content.

Frequently asked questions

Do I need to take action if I don't use Chrome Remote Desktop?

Chrome Remote Desktop (Chromoting) is an optional feature. If you do not use this functionality, your risk is reduced, though you should still apply Chrome security updates for other potential vulnerabilities. If unsure, check chrome://apps and search for 'Remote Desktop'—if not installed or used, the immediate risk is lower but patching remains recommended as a security best practice.

Will Chrome auto-update fix this automatically?

Chrome's auto-update mechanism should push version 149.0.7827.53 or later automatically over the coming days. However, auto-updates may be delayed or blocked by enterprise policies. Verify your version at chrome://version and manually update via Menu > Help > About Google Chrome if needed. Enterprise administrators should verify deployment across their fleet.

What does 'use-after-free' mean in practical terms?

A use-after-free occurs when a program accesses memory that has already been freed and returned to the system. An attacker crafting specific network traffic can trigger this condition in Chromoting, potentially allowing them to control that freed memory and execute arbitrary code. This is a common memory corruption technique that can bypass many security mechanisms.

Should I disable Chrome Remote Desktop entirely?

If you do not actively use Chrome Remote Desktop for support, remote work, or administration, disabling it reduces your attack surface. However, the primary mitigation is patching to version 149.0.7827.53. If you rely on this feature, update promptly rather than disable it, and consider restricting Chromoting access to trusted networks or requiring additional authentication.

This analysis is provided for informational purposes based on publicly available vulnerability data current as of the publication date. Patch version numbers and affected product details should be verified against official Google Chrome security advisories and vendor release notes before deployment. Organizations should conduct their own risk assessment based on their specific Chrome usage and Chromoting deployment. This advisory does not constitute professional security advice; consult with your security team or vendor for guidance tailored to your environment. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).