CVE-2026-10926: Chrome Cast Use-After-Free Code Execution Vulnerability
A use-after-free vulnerability exists in Google Chrome's Cast functionality that allows an attacker positioned on the same local network to execute arbitrary code on an affected system. The flaw requires no user interaction and can be triggered through specially crafted network traffic. This is a local network attack with high impact—an attacker gaining code execution can read sensitive data, modify system files, and disrupt operations.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.8 HIGH · CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-416
- Affected products
- 4 configuration(s)
- Published / Modified
- 2026-06-04 / 2026-06-17
NVD description (verbatim)
Use after free in Cast in Google Chrome prior to 149.0.7827.53 allowed an attacker on the local network segment to execute arbitrary code via malicious network traffic. (Chromium security severity: High)
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-10926 is a use-after-free (CWE-416) vulnerability in the Cast subsystem of Google Chrome prior to version 149.0.7827.53. The vulnerability permits remote code execution when an attacker on the local network segment sends malicious network traffic to trigger memory corruption. The attack vector is adjacent network (AV:A), requires no authentication (PR:N), and needs no user interaction (UI:N). The impact is complete compromise of confidentiality, integrity, and availability on the affected system. Chromium has assigned this a High security severity rating.
Business impact
Organizations must assume that any Chrome user on a compromised or untrusted network segment is at risk of code execution, credential theft, and lateral movement. If attackers gain execution on a user's Chrome process, they can exfiltrate browsing history, stored passwords, session cookies, and other sensitive data. In corporate environments sharing networks with guest or contractor systems, or in any scenario where network segmentation is weak, this vulnerability poses a material risk to data security and system integrity.
Affected systems
Google Chrome is the primary affected product; all versions prior to 149.0.7827.53 are vulnerable. The vulnerability can also impact systems running Chrome on Apple macOS, Microsoft Windows, and Linux distributions. Any system with an affected Chrome version connected to a local network where an attacker is also present is at risk.
Exploitability
Exploitability is high within the attack surface—specifically on local network segments. An attacker must be on the same network as the target (same subnet or network segment), but once positioned, the attack requires no user interaction and no authentication. The straightforward attack vector (malicious network traffic) and lack of user interaction requirements mean exploitation could be automated. However, the requirement to be on the local network limits the attacker's scope compared to internet-facing attacks.
Remediation
Update Google Chrome to version 149.0.7827.53 or later immediately. Verify the update by checking Chrome's About page (chrome://about), which will display the current version number and automatically check for updates. For macOS, Windows, and Linux, Chrome's built-in update mechanism should deploy the patch automatically, though forced restart of the browser may be required. Organizations should verify patch deployment across managed endpoints.
Patch guidance
Google Chrome automatically updates on most platforms; however, administrators should verify that the update has been applied by checking About Chrome or using endpoint management tools. No manual configuration is required post-patch. Test patch rollout on a small group of machines first if using a managed deployment system. Verify that the version number shown in chrome://version corresponds to 149.0.7827.53 or higher. If auto-update is disabled in your environment, manually trigger updates or re-enable the auto-update feature.
Detection guidance
Monitor for unexpected Chrome process crashes or restarts, which may indicate exploitation attempts. Network-based detection is challenging without decryption of traffic, but monitor for unusual DNS requests or unexpected outbound connections originating from Chrome processes on systems where Cast is active. Behavioral analytics that track process execution chains, file access patterns, or privilege escalation following Chrome process execution may reveal post-exploitation activity. Endpoint detection and response (EDR) tools should flag suspicious process spawning from Chrome's sandbox escape.
Why prioritize this
This vulnerability merits immediate patching due to the combination of high CVSS score (8.8), straightforward exploitation mechanism (local network positioning + malicious traffic), and complete system compromise impact (code execution with full privileges). While the local network requirement limits external attack scope, many organizations have weak network segmentation. The lack of user interaction and authentication requirements means an attacker can exploit it continuously if network access exists. Early patch adoption is critical.
Risk score, explained
The CVSS 3.1 score of 8.8 (HIGH) reflects a use-after-free leading to code execution with full system impact (Confidentiality, Integrity, and Availability all scored as High). The attack vector is Adjacent Network (not Internet-facing, which would increase severity), Attack Complexity is Low (no special conditions needed), and no privileges or user interaction are required. Scope is Unchanged. This score appropriately captures a serious but locally-scoped threat. The vulnerability is not yet in the CISA KEV catalog, indicating either recent publication or limited active exploitation reporting at the time of assessment.
Frequently asked questions
Can I be exploited on home Wi-Fi or public networks?
Yes. Any Wi-Fi network—home, corporate, or public—where an attacker is also present poses a risk. The attacker must be on the same network segment. In public Wi-Fi environments, assume untrusted parties are present and update Chrome immediately.
Does Chrome's sandboxing prevent this attack?
The use-after-free occurs within Chrome's Cast subsystem and can lead to sandbox escape and arbitrary code execution. While sandboxing provides some defense-in-depth, it does not prevent this vulnerability. Patching is the primary mitigation.
What if I don't use Chrome's Cast feature?
Cast is part of Chrome's standard functionality. Disabling it may reduce exposure, but the vulnerability exists in the code path, and the safest approach is to patch. Verify your browser version and update regardless.
Is there a workaround if I can't update immediately?
Isolate Chrome users to trusted, segmented networks with strong access controls if possible. Disconnect from untrusted networks. However, these are temporary measures—patching should be the immediate priority.
This analysis is based on publicly available information as of the vulnerability publication date. No exploit code or weaponized proof-of-concept is provided herein. Organizations should verify patch availability and compatibility with their specific Chrome deployment and OS versions through the official Google Chrome release notes and vendor security advisories. This content is for informational purposes and does not constitute professional security advice; consult your security team or a professional adviser for deployment guidance specific to your environment. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10001HIGHChrome Sandbox Escape via PerformanceManager Use-After-Free
- CVE-2026-10002HIGHGoogle Chrome PDFium Use-After-Free Vulnerability (CVSS 8.8)
- CVE-2026-10003HIGHChrome Use-After-Free Code Execution Vulnerability Analysis
- CVE-2026-10007HIGHChrome Use-After-Free in SVG Arbitrary Code Execution (CVSS 8.8)
- CVE-2026-10012HIGHChrome Skia Use-After-Free Sandbox Escape (v148.0.7778.216)
- CVE-2026-10013HIGHUse-After-Free in Chrome WebCodecs – Patch Guide & Risk Assessment
- CVE-2026-10016HIGHUse-After-Free in Chrome DOM – Sandbox Code Execution Vulnerability
- CVE-2026-10882HIGHCritical Chrome Use-After-Free RCE Vulnerability – Exploit Details & Patch Guidance