CVE-2026-10939: Chrome WebRTC Use-After-Free Remote Code Execution
A use-after-free vulnerability exists in Google Chrome's WebRTC component that allows an attacker to execute arbitrary code within Chrome's sandbox by tricking a user into visiting a malicious webpage. The vulnerability affects Chrome versions prior to 149.0.7827.53 across Windows, macOS, and Linux. While the exploit requires user interaction (clicking a link or visiting a site), the impact is severe: an attacker gains code execution within the browser process.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.8 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-416
- Affected products
- 4 configuration(s)
- Published / Modified
- 2026-06-04 / 2026-06-17
NVD description (verbatim)
Use after free in WebRTC in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-10939 is a use-after-free vulnerability (CWE-416) in the WebRTC implementation of Google Chrome. The flaw stems from improper memory management in WebRTC handlers, allowing an attacker to reference memory that has already been freed. By crafting a specially designed HTML page, a remote attacker can trigger this condition and achieve arbitrary code execution in the sandboxed Chrome process. The vulnerability requires user interaction to visit the malicious page but does not require any special browser configuration or additional privileges. The Chromium security team rated this as High severity.
Business impact
An attacker exploiting this vulnerability could execute malicious code within a user's Chrome browser sandbox, potentially leading to credential theft, malware installation, or lateral movement to other systems on the network. For organizations where employees regularly browse the internet, this represents a significant risk vector. The requirement for user interaction (visiting a crafted page) makes this a credible attack surface for targeted campaigns or watering hole attacks. Affected users include any individual or organization running vulnerable versions of Chrome on Windows, macOS, or Linux.
Affected systems
Google Chrome versions prior to 149.0.7827.53 are vulnerable across Windows, macOS, and Linux platforms. The vulnerability is a Chrome-specific defect in the WebRTC component, though the source data lists macOS, Windows, and Linux kernel as affected systems contexts, indicating the browser runs on these operating systems. Organizations should inventory Chrome installations and prioritize updating to version 149.0.7827.53 or later.
Exploitability
Exploitability is moderately high. The attack requires a user to visit a malicious webpage, which can be achieved through phishing, watering hole attacks, or malvertising. However, once a user visits the crafted page, no additional user action or browser configuration is needed—the vulnerability is triggered automatically. The attack is not complex to execute; the attacker simply needs to host the malicious HTML and get a target user to visit it. Given the widespread use of Chrome and the prevalence of browsing activity, this is a practical exploitation vector.
Remediation
Organizations should immediately update Google Chrome to version 149.0.7827.53 or later. Chrome includes auto-update functionality, but administrators should verify that updates are deployed and not deferred. For managed environments, enforce update policies to ensure no instances remain on vulnerable versions. End users should check their Chrome version (chrome://version) and manually trigger an update if necessary. No workaround exists; patching is the only mitigation.
Patch guidance
Update Google Chrome to version 149.0.7827.53 or later. Verify the patch version in Settings > About Google Chrome, which will show the current version and automatically check for updates. For enterprise deployments, use Chrome's group policy or mobile device management (MDM) solutions to force updates across managed devices. Monitor your environment to confirm all Chrome instances have reached the patched version before considering the vulnerability remediated. Check the official Google Chrome release notes to confirm 149.0.7827.53 contains the CVE-2026-10939 fix.
Detection guidance
Monitor for Chrome process anomalies following visits to untrusted websites. Log WebRTC-related crashes or renderer process terminations, which may indicate exploitation attempts. Endpoint detection and response (EDR) tools should flag suspicious code execution within Chrome sandbox boundaries. Network-based detection is limited since the attack occurs post-compromise; focus on behavioral indicators such as unexpected child processes spawned from Chrome or unusual file system modifications initiated by the browser. Security teams should also monitor for watering hole attacks targeting their user base and correlate with Chrome update status across the organization.
Why prioritize this
This vulnerability merits immediate attention (CVSS 8.8 HIGH) because it combines high impact (arbitrary code execution), moderate exploitability (user click required but no additional complexity), and broad reach (all Chrome users across major operating systems). The use-after-free class of vulnerability is well-understood by attackers, and WebRTC is a frequently-targeted component. The lack of KEV designation does not indicate low risk; rather, it reflects that as of the source data date, no widespread exploitation in the wild has been publicly disclosed. However, given the severity and ease of exploitation, expect threat actors to develop exploits rapidly if not already done. Organizations should treat this as a critical update priority.
Risk score, explained
The CVSS 3.1 score of 8.8 (HIGH) reflects: (1) Network-based attack vector (AV:N) requiring no local access; (2) Low attack complexity (AC:L) indicating the exploit does not require special conditions; (3) No privileges required (PR:N); (4) User interaction required (UI:R), which moderates the score from critical to high; (5) Confidentiality, integrity, and availability all severely impacted (C:H/I:H/A:H) due to arbitrary code execution within the sandbox. The user interaction requirement prevents this from being CRITICAL, but the sandbox escape potential and broad applicability across platforms justify the HIGH rating.
Frequently asked questions
Will updating Chrome to version 149.0.7827.53 protect me from this vulnerability?
Yes. Version 149.0.7827.53 patches the use-after-free defect in WebRTC. Verify your Chrome version in Settings > About Google Chrome. If you see a version number lower than 149.0.7827.53, you are vulnerable. Chrome typically auto-updates, but you can manually trigger an update from this screen.
Do I need to do anything other than update Chrome to be protected?
No additional action is required from a technical perspective. However, if you have visited untrusted websites recently and your Chrome had not yet auto-updated, consider running a security scan to detect any potential compromise. Once patched, the vulnerability cannot be exploited on your system.
Why does the vulnerability require user interaction if it's still rated HIGH?
User interaction (visiting a malicious page) is the only barrier to exploitation. However, this is a very realistic attack vector—phishing emails, watering hole sites, and malvertising campaigns routinely trick users into visiting attacker-controlled pages. The severity (arbitrary code execution, impact on confidentiality, integrity, and availability) remains very high even with this requirement. If exploitation were in the wild before patches were released, the real-world risk would be critical.
Is this vulnerability being actively exploited?
As of the source data date (June 2026), CVE-2026-10939 is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, meaning no widespread active exploitation in the wild has been publicly disclosed. However, this does not mean the vulnerability is not a target for attackers. Given the high severity, apply patches as a matter of course. Security research or targeted campaigns may not be immediately public.
This analysis is provided for informational purposes and reflects publicly available information as of the source data date. Specific patch version numbers, affected product lists, and CVSS scores are derived from authoritative vulnerability databases and vendor advisories and should be verified against the official Google Chrome release notes and security bulletins. No exploit code is provided herein. Organizations should conduct their own risk assessment and testing before deploying patches in production environments. SEC.co does not provide legal or compliance advice; consult your organization's security and legal teams regarding remediation timelines and regulatory obligations. This document does not constitute a substitute for professional security consultation or incident response services. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10001HIGHChrome Sandbox Escape via PerformanceManager Use-After-Free
- CVE-2026-10002HIGHGoogle Chrome PDFium Use-After-Free Vulnerability (CVSS 8.8)
- CVE-2026-10003HIGHChrome Use-After-Free Code Execution Vulnerability Analysis
- CVE-2026-10007HIGHChrome Use-After-Free in SVG Arbitrary Code Execution (CVSS 8.8)
- CVE-2026-10012HIGHChrome Skia Use-After-Free Sandbox Escape (v148.0.7778.216)
- CVE-2026-10013HIGHUse-After-Free in Chrome WebCodecs – Patch Guide & Risk Assessment
- CVE-2026-10016HIGHUse-After-Free in Chrome DOM – Sandbox Code Execution Vulnerability
- CVE-2026-10882HIGHCritical Chrome Use-After-Free RCE Vulnerability – Exploit Details & Patch Guidance