HIGH 7.5

CVE-2026-10900: Critical Chrome Password Manager Use-After-Free on macOS

A use-after-free flaw in Google Chrome's password management feature on macOS allows attackers to corrupt memory and potentially execute code if they trick a user into performing specific interactions with a malicious webpage. The vulnerability requires user interaction and affects Chrome versions before 149.0.7827.53. While rated HIGH by CVSS, the attack surface is narrowed by the need for deliberate user gestures and the complexity of reliable exploitation.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.5 HIGH · CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-416
Affected products
2 configuration(s)
Published / Modified
2026-06-04 / 2026-06-17

NVD description (verbatim)

Use after free in Passwords in Google Chrome on Mac prior to 149.0.7827.53 allowed a remote attacker who convinced a user to engage in specific UI gestures to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Critical)

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-10900 is a use-after-free vulnerability (CWE-416) residing in Chrome's password handling subsystem on macOS. Use-after-free flaws occur when code accesses memory that has been deallocated, potentially allowing an attacker to read sensitive data or overwrite heap structures. In this case, the vulnerability manifests through specific UI gestures—likely involving the password manager interface—triggered by a crafted HTML page. The attacker must convince the user to perform these gestures; the flaw does not trigger passively through mere page visitation. Chromium has assigned this a Critical security severity classification internally.

Business impact

Organizations face two primary risks: direct user compromise through credential theft or malware installation if employees are targeted, and reputational damage if the incident becomes public. The password manager context is particularly sensitive, as compromised password databases could lead to lateral movement across enterprise systems. However, the requirement for user interaction and specific UI gestures significantly limits mass-exploitation scenarios. Incident response teams should prepare for targeted social engineering campaigns that combine Chrome exploitation with phishing or watering-hole techniques.

Affected systems

Google Chrome on macOS versions prior to 149.0.7827.53 are affected. The vulnerability is specific to the macOS platform; Chrome on Windows, Linux, and Android are not impacted by this particular flaw. Users on supported macOS versions (including both Intel and Apple Silicon architectures) running vulnerable Chrome builds are at risk. Enterprise deployments using Chrome on macOS with password manager features enabled are particularly relevant.

Exploitability

Exploitation requires a high degree of user interaction and social engineering. An attacker must convince a user to visit a malicious site and perform specific UI gestures within Chrome's password manager—a notably high barrier compared to passive exploits. The CVSS vector (AC:H, UI:R) reflects this complexity. While Chromium rates the vulnerability Critical internally, the practical exploitability is constrained by the interaction requirement and the technical precision needed to reliably trigger heap corruption. No public exploit code or active in-the-wild exploitation has been reported as of the modification date.

Remediation

Patch Chrome to version 149.0.7827.53 or later immediately. macOS users should enable automatic updates in Chrome settings (chrome://settings/help), which typically deploy patches within 24 hours of release. Enterprise deployments should push the update through their standard patch management process, prioritizing systems where Chrome password manager usage is high or where sensitive credentials are stored. Verify patch deployment by checking chrome://version to confirm the build number.

Patch guidance

Google Chrome automatically notifies users of available updates and provides a restart prompt. Users can manually check for updates via chrome://settings/help. For macOS, the update process requires restarting the browser; no additional system restart is necessary. Enterprise administrators should verify patch deployment using device management tools or Group Policy (Windows) / Profile Manager (macOS). Version 149.0.7827.53 or higher resolves the vulnerability. Test the patch in a limited environment before full rollout if your organization has custom security configurations.

Detection guidance

Monitor for Chrome crashes or unexpected restarts on macOS systems, particularly those involving password manager interactions. Endpoint Detection and Response (EDR) tools should flag unusual heap corruption patterns or memory access violations in Chrome processes. Web filtering and DNS security can help block known malicious domains used in campaigns targeting this flaw. Log unusual password manager activity or failed authentication attempts that coincide with suspicious web browsing. For forensic analysis, review Chrome's crash reports (chrome://crashes) and system memory dumps if available.

Why prioritize this

Although rated HIGH by CVSS, this vulnerability should be treated as urgent due to its Critical Chromium classification, the sensitivity of password manager compromise, and the broad deployment of Chrome on macOS in enterprise environments. However, the interaction requirement prevents this from being treated as a widespread emergency compared to network-worm-capable flaws. Prioritize systems where users frequently handle sensitive credentials or manage access to critical infrastructure.

Risk score, explained

The CVSS 3.1 score of 7.5 (HIGH) reflects a network-based attack requiring user interaction and elevated access complexity (AC:H), but with high impact potential across confidentiality, integrity, and availability. The score appropriately weights the password manager context (high impact if compromised) against the practical exploitation barriers. Chromium's internal Critical rating suggests the payload potential is severe; the CVSS HIGH score reflects that exploitation is not trivial. Organizations should treat this as urgent but not panic-inducing—targeted response is more appropriate than emergency incident protocols.

Frequently asked questions

Does this vulnerability allow remote code execution?

Potentially, yes. The use-after-free can lead to heap corruption, which sophisticated attackers can leverage for code execution. However, achieving reliable RCE requires technical precision and overcoming modern memory protections (ASLR, DEP). Worst-case scenario: malware installation or credential theft from the password database.

Do I need to restart my computer after updating Chrome?

No. Chrome updates require only a browser restart. After you see the update notification, close and reopen Chrome (or click 'Relaunch'). Your system does not require a full restart. Automatic updates often apply the patch between sessions without user intervention.

Why does this only affect Chrome on macOS?

The vulnerability exists in code paths specific to macOS's memory management and Chrome's password manager UI implementation on that platform. Equivalent code on Windows, Linux, or Android either handles memory differently or is not exposed through the same UI gesture vector.

Is my password database compromised if I was on an older Chrome version?

Not necessarily. Compromise requires successful exploitation, which demands both user interaction and attacker success in triggering and weaponizing the heap corruption. If you've updated to 149.0.7827.53 or later, no further action is required for this specific CVE. If you're concerned about prior exposure, consider changing frequently-used passwords as a precautionary measure.

This analysis is provided for informational purposes and does not constitute professional security advice. Organizations should verify all patch version numbers against official vendor advisories before deployment. CVE-2026-10900 is not currently listed on the CISA KEV catalog as of the published date. Exploit code and technical weaponization details are intentionally omitted. Always test patches in a controlled environment prior to enterprise rollout. Consult your vendor's official advisory for platform-specific guidance. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).