HIGH 8.8

CVE-2026-10948: Chrome WebRTC Use-After-Free Remote Code Execution

A use-after-free vulnerability exists in Google Chrome's WebRTC implementation that allows attackers to run malicious code within the browser's sandbox by tricking users into visiting a crafted webpage. The attacker needs user interaction (clicking a link or visiting a malicious site) but requires no special privileges or system access to exploit it. Once triggered, the vulnerability grants full read, write, and execution capabilities within the sandboxed Chrome process.

Source data · NVD / CISA · public domain

CVSS
3.1 · 8.8 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-416
Affected products
4 configuration(s)
Published / Modified
2026-06-04 / 2026-06-17

NVD description (verbatim)

Use after free in WebRTC in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-10948 is a use-after-free condition (CWE-416) in WebRTC code prior to Chrome 149.0.7827.53. The vulnerability occurs when memory that has been freed is subsequently accessed, allowing an attacker to corrupt the heap and achieve code execution. The WebRTC subsystem's memory management fails to properly track object lifecycle, leaving dangling pointers that a remote attacker can manipulate via a crafted HTML page. Exploitation occurs in the renderer process sandbox, limiting but not eliminating the security impact. The vulnerability requires user interaction to trigger and affects Chrome on Windows, macOS, and Linux.

Business impact

Chrome is the world's most widely deployed browser, making this a significant attack surface for organizations. If exploited, attackers could steal sensitive data from authenticated sessions, inject malware, or pivot to corporate networks via a seemingly innocent webpage visit. The sandbox containment reduces risk compared to kernel-level exploits, but sandbox escapes are a known threat vector. Organizations with bring-your-own-device policies or reliance on web-based applications face elevated exposure. The combination of high CVSS score (8.8) and ease of delivery via web content warrants rapid patching before adversaries weaponize it at scale.

Affected systems

Google Chrome on all major operating systems (Windows, macOS, Linux) is directly affected in versions prior to 149.0.7827.53. The vulnerability targets Chrome's WebRTC implementation, so any Chrome user visiting a malicious or compromised website is at risk. This includes enterprise deployments using Chrome as a managed browser, educational institutions, and individual users. Systems with Chrome auto-update enabled will receive patches automatically; those with manual update policies require immediate administrator action.

Exploitability

The vulnerability has a network attack vector with low complexity, meaning an attacker can craft a webpage and serve it via HTTP/HTTPS without needing to compromise a target's local system or network. User interaction is required—the victim must visit the malicious page or click a link—but phishing campaigns and watering hole attacks make this a practical exploitation method. No proof-of-concept is known to be publicly available as of the publication date, and the vulnerability is not yet listed on CISA's Known Exploited Vulnerabilities (KEV) catalog, suggesting exploitation in the wild is not yet documented. However, the high severity rating and straightforward attack vector mean active exploitation could emerge quickly once detailed technical information spreads.

Remediation

Update Google Chrome to version 149.0.7827.53 or later immediately. For organizations managing multiple systems, use Chrome's enterprise deployment tools or group policy to force updates. Verify update status in Chrome's About page (chrome://about or Chrome menu > Help > About Google Chrome), which will show the installed version and auto-update status. For manually managed deployments, download the latest installer from google.com/chrome/. No workarounds exist; patching is the only mitigation. Consider temporarily restricting or blocking Chrome use for high-risk users if deployment of patches will be delayed.

Patch guidance

Verify the installed Chrome version against 149.0.7827.53. Chrome updates are typically delivered automatically on restart; force an update by opening chrome://settings/help and clicking 'Relaunch.' For enterprise deployments, consult your organization's update policy and use centralized deployment tools if available. Verify patch application by confirming the version number in chrome://version. No dependent patches or compatibility issues are documented for this fix.

Detection guidance

Monitor for suspicious WebRTC activity or crashes in Chrome process logs. Endpoint detection tools should flag unexpected code execution originating from the Chrome renderer process sandbox. Web filtering and DNS sinkhole solutions can block known malicious landing pages if advisories include indicators of compromise. Additionally, monitor for abnormal network connections initiated by Chrome immediately after visiting untrusted websites. Organizations without automated update mechanisms should audit systems using Chrome versions prior to 149.0.7827.53 and prioritize those systems for immediate patching.

Why prioritize this

This vulnerability combines high severity (CVSS 8.8), practical exploitability via web delivery, universal browser deployment, and user-interaction-only requirement—a combination that historically leads to rapid, widespread exploitation. WebRTC vulnerabilities have been targeted by both financially motivated and state-sponsored actors. The absence from the KEV catalog as of publication suggests a narrow window before active exploitation becomes common. Organizations should treat this as a critical patch priority, especially for systems facing external internet exposure or handling sensitive data.

Risk score, explained

The CVSS 3.1 score of 8.8 (HIGH) reflects a network-accessible vulnerability with no authentication or elevated privilege requirement, high impact on confidentiality, integrity, and availability, and low attack complexity. The score is tempered slightly by the requirement for user interaction and execution within a sandbox. However, the practical ease of delivering malicious web content, the global user base of Chrome, and the history of sandbox escapes elevate real-world risk beyond the base CVSS score. Organizations should consider this a de facto critical priority regardless of CVSS categorization.

Frequently asked questions

Does this affect Chrome on Android or iOS?

The source data specifies Chrome on Windows, macOS, and Linux. Chrome on Android and iOS uses different rendering engines (Blink on Android, WebKit on iOS) and have separate release cycles. Confirm the status of those platforms via Google's official security updates page, but this specific vulnerability's applicability to mobile versions is not documented in the available advisory.

What if we block WebRTC at the firewall?

Network-level blocking of WebRTC may reduce attack surface, but it is not a reliable mitigation because WebRTC can operate over HTTPS and through tunneling. The only reliable mitigation is to update Chrome to a patched version or restrict Chrome use. Consider network controls as a defense-in-depth layer, not a substitute for patching.

Are there indicators of compromise or malicious domains we should block?

The source data does not include specific indicators of compromise (IOCs) such as malicious domains or IP addresses. Organizations should monitor threat intelligence feeds, CISA advisories, and vendor security blogs for updated IOCs as active exploitation is discovered. Consult your security operations team and threat intelligence provider for domain blocklists and behavioral detection signatures specific to this CVE.

Why is this not on CISA's Known Exploited Vulnerabilities list yet?

The KEV catalog tracks vulnerabilities with confirmed active exploitation in the wild. This vulnerability, published in June 2026, is not yet documented as being exploited at scale. However, the high severity and practical attack vector mean it could be added soon. Assume active exploitation is forthcoming and prioritize patching accordingly.

This analysis is based on publicly available information as of June 2026 and reflects the state of the vulnerability at publication. Specific patch version numbers, affected product versions, and CVSS scores are derived from official vendor advisories and NIST databases and should be independently verified before operational decisions are made. Exploitation timelines, active campaigns, and threat actor involvement may change; consult real-time threat feeds for the latest developments. This explainer does not constitute legal, compliance, or procurement advice. Organizations should align vulnerability response decisions with their security policies, risk tolerance, and regulatory obligations. No exploit code or weaponizable technical details are provided herein; responsible disclosure principles have been observed. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).