HIGH 7.5

CVE-2026-10901: Chrome Password Manager Use-After-Free RCE on macOS

A use-after-free memory flaw exists in Google Chrome's password manager on macOS. An attacker can trigger the vulnerability by convincing a user to interact with a specially crafted webpage in specific ways—for example, through unusual clicking patterns or drag-and-drop actions in the password UI. Successful exploitation allows remote code execution with the privileges of the Chrome process. This is a memory safety issue where the browser continues to reference password manager data after it has been freed, creating an opportunity for malicious code injection.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.5 HIGH · CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-416
Affected products
2 configuration(s)
Published / Modified
2026-06-04 / 2026-06-17

NVD description (verbatim)

Use after free in Passwords in Google Chrome on Mac prior to 149.0.7827.53 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code via a crafted HTML page. (Chromium security severity: Critical)

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-10901 is a use-after-free vulnerability (CWE-416) in the password management component of Google Chrome on macOS. The flaw allows an unauthenticated remote attacker to execute arbitrary code by hosting a crafted HTML page and inducing a user to perform specific UI gestures—likely interactions that trigger concurrent state changes in the password manager. The vulnerability stems from improper memory lifecycle management within the password subsystem, where freed memory is accessed after deallocation. The attack requires user interaction and has no network-level exploitation path, but the barrier to user engagement is relatively low given Chrome's ubiquity and the plausibility of social engineering around password management workflows.

Business impact

Organizations relying on Chrome as a primary browser face a significant risk to user workstations and data confidentiality. Exploitation could allow an attacker to execute arbitrary code in the context of the logged-in user, potentially leading to theft of stored credentials (passwords, payment data), installation of malware, lateral movement within corporate networks, or espionage. For enterprises with strict password hygiene policies, the compromise of a user's Chrome password store could undermine those controls. The attack surface is broad—any macOS user running vulnerable Chrome versions who visits an attacker-controlled site is at risk.

Affected systems

Google Chrome versions prior to 149.0.7827.53 on macOS are affected. This includes all stable and older release channels on Mac systems. Users on Windows, Linux, and ChromeOS should verify whether corresponding patches have been released for those platforms, as the advisory specifically references Mac. macOS versions are not the limiting factor—the vulnerability affects any macOS system running a vulnerable Chrome build, regardless of OS version.

Exploitability

Exploitation requires a remote attacker to craft a malicious HTML page and convince a user to visit it while performing specific UI interactions with Chrome's password manager. The attack is not wormable or self-propagating. User interaction is a prerequisite, which reduces the likelihood of mass exploitation but does not eliminate the risk—phishing campaigns, malicious advertisements, or compromised legitimate sites could deliver the payload. The use-after-free flaw itself is likely reliable once the correct UI gesture sequence is identified, meaning successful attacks would achieve code execution consistently. The vulnerability is not currently tracked in CISA's Known Exploited Vulnerabilities catalog.

Remediation

Update Google Chrome to version 149.0.7827.53 or later on all macOS systems. This patch addresses the memory management flaw in the password manager. Apply the update as soon as practically possible to reduce exposure window. No workarounds are available; patching is the only mitigation. Organizations should enforce Chrome auto-update policies and audit systems to confirm patch deployment. Users should manually check for updates via Chrome settings if auto-update is disabled.

Patch guidance

Google has released Chrome 149.0.7827.53 for macOS with a fix for this vulnerability. Administrators should verify this patch version against the official Google Chrome release notes. Deploy via established update mechanisms: enterprises can use Google Update for Business or MDM solutions; individual users should enable automatic updates or manually trigger 'Check for updates' in Chrome's settings menu (Chrome menu > About Google Chrome). Test in a limited pilot before full rollout if your environment requires validation. Confirm successful deployment by verifying Chrome version in chrome://version after updates complete.

Detection guidance

Monitor Chrome version inventory across macOS systems to identify machines running versions before 149.0.7827.53. Endpoint detection tools and mobile device management platforms can query installed Chrome versions. Network-level detection of exploitation attempts is limited, as the attack relies on user interaction with a web page; however, monitor for suspicious process execution spawned by Chrome processes on patched and unpatched systems alike. Alert on unusual password manager access patterns or rapid authentication events if integrated with identity management. Review browser history on suspect machines for visits to unfamiliar or attacker-controlled domains in the relevant timeframe.

Why prioritize this

Prioritize this vulnerability due to the combination of remote code execution impact, user interaction requirement (moderate barrier), and the widespread use of Chrome on macOS in both consumer and enterprise environments. While CVSS severity is rated HIGH (7.5) rather than CRITICAL from a base-score perspective, Google's Chromium security team classified it as Critical, reflecting the real-world exploitability and damage potential. The lack of KEV listing indicates no in-the-wild exploitation has been confirmed yet, but memory corruption flaws in security-sensitive features like password managers are historically attractive to threat actors. Patch deployment should commence immediately.

Risk score, explained

The CVSS 3.1 score of 7.5 (HIGH) reflects a remote network attack vector, high complexity (AC:H, due to required user interaction and specific UI gestures), no privilege escalation requirement, and complete compromise of confidentiality, integrity, and availability within the Chrome process. The user interaction requirement (UI:R) prevents the maximum CVSS severity, but the scope remains unchanged because code execution occurs in the user's security context. This score conservatively weights the barrier imposed by needing specific UI gestures; in practice, successful social engineering could lower the practical attack complexity.

Frequently asked questions

Does this vulnerability affect Chrome on Windows or Linux?

The CVE advisory specifically references macOS. Verify with Google's official security advisories for Windows and Linux patch status, as use-after-free flaws in cross-platform components may or may not be present on other operating systems.

Can this be exploited without user interaction?

No. The vulnerability requires a user to perform specific UI gestures within the password manager UI on a crafted HTML page. There is no network-only exploitation vector. However, phishing or malvertising can lower the barrier to user engagement.

Is this vulnerability being exploited in the wild?

As of the advisory date, this vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog, indicating no confirmed in-the-wild exploitation. However, the criticality rating and memory safety nature of the flaw make it an attractive target for sophisticated actors.

What is the difference between the CVSS score and Google's 'Critical' severity rating?

CVSS 7.5 is the standardized numerical metric used for comparison across vulnerabilities. Google's Chromium security team applies its own severity scale (Critical, High, Medium, Low) based on impact, exploitability, and reach; a Critical rating reflects the real-world danger, while CVSS reflects calculated technical factors. Both assessments warrant immediate patching.

This analysis is provided for informational and educational purposes. SEC.co makes no guarantee of the accuracy or completeness of this vulnerability intelligence and does not warrant the suitability of any recommended actions for your organization's specific environment. Consult official vendor advisories and conduct your own risk assessment. Patch deployment, detection, and remediation strategies should be validated in your environment before production rollout. References to patch versions and vendor advisories should be independently verified against the official Google Chrome security release notes. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).