CVE-2026-10903: Chrome WebRTC Use-After-Free RCE Vulnerability – Patch 149.0.7827.53
A use-after-free vulnerability exists in Google Chrome's WebRTC implementation that allows an attacker to execute arbitrary code within Chrome's sandbox by convincing a user to visit a malicious website. The vulnerability affects Chrome versions prior to 149.0.7827.53 and can lead to complete compromise of the browser process, including reading sensitive data, modifying content, and disrupting availability.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.8 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-416
- Affected products
- 4 configuration(s)
- Published / Modified
- 2026-06-04 / 2026-06-17
NVD description (verbatim)
Use after free in WebRTC in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-10903 is a use-after-free memory corruption flaw (CWE-416) in the WebRTC subsystem of Google Chrome. The vulnerability occurs when WebRTC components attempt to access memory that has already been freed, allowing an attacker to corrupt heap state and achieve code execution. The attack requires user interaction—specifically, visiting a crafted HTML page—but does not require authentication or elevated privileges. Execution occurs within Chrome's sandbox security boundary, providing a degree of isolation but not preventing process-level compromise.
Business impact
Successful exploitation allows attackers to execute malicious code within an end user's browser with the privileges of that user. In enterprise environments, this facilitates data theft from browser memory (including cached credentials, session tokens, and document content), malware installation, further lateral movement, and potential supply-chain compromise if users access internal systems. The requirement for user interaction makes this suitable for targeted spear-phishing campaigns against high-value individuals.
Affected systems
The vulnerability affects Google Chrome versions before 149.0.7827.53. While the CWE is specific to Chrome's WebRTC implementation, the vendor_products field includes macOS, Linux, and Windows because Chrome runs as the attack surface on these operating systems; they are affected as hosts for the vulnerable browser, not as independently vulnerable systems.
Exploitability
The vulnerability has a low barrier to exploitation: it requires only that a user visit a malicious website, making it suitable for watering hole attacks, malvertising, or phishing-delivered payloads. No exploit is currently confirmed to be in the wild, and the vulnerability is not currently listed on CISA's Known Exploited Vulnerabilities catalog. However, the attack surface is massive given Chrome's global user base and the relative ease of social engineering browser visits.
Remediation
Organizations should prioritize updating Google Chrome to version 149.0.7827.53 or later. For managed environments, IT teams should enforce automatic browser updates or deploy the patch through group policy and MDM solutions. Users on personal devices should enable automatic updates in Chrome settings. No workarounds exist beyond patching, though disabling WebRTC in browsers not requiring it can reduce exposure.
Patch guidance
Verify that Chrome deployment versions are updated to 149.0.7827.53 or later across all endpoints. Chrome typically auto-updates, but verify completion through the Settings > About Google Chrome menu, which displays the current version. In enterprise environments, confirm patch deployment against your management console (Workspace, Intune, or equivalent). Legacy or air-gapped Chrome installations require manual verification. Test patches on non-production endpoints first to ensure compatibility with any custom web applications or extensions.
Detection guidance
Monitor for exploitation attempts by looking for unusual WebRTC API calls, heap corruption signals, or crashes in Chrome renderer processes followed by suspicious process behavior. If available through endpoint detection and response (EDR) tools, watch for suspicious child processes spawned from Chrome and memory access patterns consistent with use-after-free exploitation. Network-level detection is challenging; focus on post-compromise indicators such as unexpected data exfiltration or lateral movement originating from compromised browser processes.
Why prioritize this
This vulnerability merits immediate patching attention due to its combination of high severity (CVSS 8.8), broad user exposure, low attack complexity, requirement for minimal user interaction, and potential for high-impact compromise. Although not yet weaponized publicly, the straightforward attack vector and sandboxed code execution make it an attractive target for sophisticated threat actors. Prioritize endpoints where users access sensitive data, financial systems, or internal resources.
Risk score, explained
The CVSS 3.1 score of 8.8 reflects high severity driven by: network-based attack vector (AV:N), low attack complexity (AC:L), no privilege requirement (PR:N), requirement for user interaction (UI:R), unchanged scope (S:U), and high impact across confidentiality, integrity, and availability (C:H, I:H, A:H). The score appropriately captures the ease of triggering the vulnerability and the substantial damage a successful exploit inflicts on the compromised process.
Frequently asked questions
Does patching Chrome on one device affect other devices?
No. Chrome patching is per-device; each instance must be updated independently. For organizations, this means deploying patches across your fleet systematically. Personal devices with automatic updates enabled will patch automatically, but corporate-managed devices depend on your MDM or browser management policy.
Can this vulnerability be exploited if a user doesn't click anything on a malicious page?
Yes. The attacker only needs the user to *visit* the page; no additional user interaction such as clicking a button or entering input is required. This makes the attack easier to deliver via phishing or watering holes.
Is my data encrypted in Chrome vulnerable to this attack?
This vulnerability operates within the browser process itself. Passwords stored in Chrome's password manager that are encrypted at rest add a layer of protection, but session data, site content, and unencrypted communications visible in memory during the session can be accessed. Use HTTPS for sensitive transactions and consider disabling automatic password saving for high-security accounts.
What if I disable WebRTC in Chrome?
Disabling WebRTC (via chrome://settings or extensions) reduces attack surface if your workflow doesn't require it, but it is not a complete workaround because the vulnerability resides in the WebRTC subsystem itself and could theoretically be reachable through other code paths. Patching remains the definitive solution.
This analysis is provided for informational purposes and represents SEC.co's assessment as of the publication date. CVSS scores, patch versions, and vendor advisory details are sourced from official CVE records and vendor statements; verify all patch versions against official Google Chrome release notes and your environment's compatibility requirements before deployment. No exploit code or weaponized proof-of-concept information is provided. Organizations should conduct their own risk assessment based on asset criticality, user behavior, and threat landscape applicable to their environment. SEC.co makes no warranty regarding the completeness or accuracy of this analysis and disclaims liability for decisions made based solely on this content. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10001HIGHChrome Sandbox Escape via PerformanceManager Use-After-Free
- CVE-2026-10002HIGHGoogle Chrome PDFium Use-After-Free Vulnerability (CVSS 8.8)
- CVE-2026-10003HIGHChrome Use-After-Free Code Execution Vulnerability Analysis
- CVE-2026-10007HIGHChrome Use-After-Free in SVG Arbitrary Code Execution (CVSS 8.8)
- CVE-2026-10012HIGHChrome Skia Use-After-Free Sandbox Escape (v148.0.7778.216)
- CVE-2026-10013HIGHUse-After-Free in Chrome WebCodecs – Patch Guide & Risk Assessment
- CVE-2026-10016HIGHUse-After-Free in Chrome DOM – Sandbox Code Execution Vulnerability
- CVE-2026-10882HIGHCritical Chrome Use-After-Free RCE Vulnerability – Exploit Details & Patch Guidance