CVE-2026-10975: Critical Use-After-Free in Chrome WebRTC – Patch Now
A use-after-free vulnerability in Google Chrome's WebRTC component allows an attacker to execute arbitrary code within the Chrome sandbox by tricking a user into visiting a specially crafted website. The vulnerability affects Chrome versions prior to 149.0.7827.53 and requires user interaction—specifically clicking a link or visiting a malicious page—but does not require any special privileges. Once exploited, an attacker gains the ability to run code with the same permissions as the Chrome process, potentially compromising sensitive data or escalating further.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.8 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-416
- Affected products
- 4 configuration(s)
- Published / Modified
- 2026-06-04 / 2026-06-17
NVD description (verbatim)
Use after free in WebRTC in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-10975 is a use-after-free vulnerability (CWE-416) in the WebRTC implementation of Google Chrome. Use-after-free bugs occur when a program accesses memory that has already been freed, allowing attackers to read, modify, or execute arbitrary code. In this case, the flaw resides in Chrome's WebRTC audio/video processing stack. An attacker can craft a malicious HTML page that triggers improper memory management during WebRTC session teardown or media processing. When a user visits the page, the freed memory is reused in a way that gives the attacker control over execution flow. Although the exploit runs within Chrome's sandbox, it can still compromise user data, steal credentials, or serve as a pivot point for further attacks. The vulnerability is network-reachable and requires only user interaction (UI:R), making it practical to exploit at scale via watering hole attacks or malicious advertisements.
Business impact
This vulnerability poses a significant risk to enterprise environments where Chrome is the primary browser. An attacker exploiting CVE-2026-10975 can steal corporate data, session tokens, or credentials stored in the browser. For organizations handling sensitive information—financial services, healthcare, legal, or government—a successful exploit could result in data exfiltration, regulatory fines, or loss of customer trust. The sandboxing mitigates some risk by preventing direct OS-level compromise, but does not prevent access to in-browser data like cached passwords, browsing history, or business intelligence. Additionally, if exploited in a targeted attack against employees visiting legitimate but compromised websites, it could serve as an initial foothold for lateral movement within a corporate network.
Affected systems
Google Chrome is the primary affected product; all versions prior to 149.0.7827.53 are vulnerable. The vulnerability also affects the operating systems on which Chrome runs: Apple macOS, Linux (including the Linux kernel environment), and Microsoft Windows. Any organization or individual running Chrome on these platforms before applying the patch is at risk. The vulnerability does not discriminate based on Chrome extensions, user profile settings, or security features; presence of the vulnerable code is sufficient for exploitation.
Exploitability
This vulnerability is highly exploitable in real-world scenarios. It requires only network access and user interaction—no authentication, elevated privileges, or complex setup is needed. An attacker can host a malicious website or inject malicious ads into legitimate ad networks, reaching a broad audience. The sandboxing mechanism reduces but does not eliminate the value of exploitation; an attacker can still steal data from the browser context. No public exploit code or KEV inclusion has been reported as of the data snapshot, but the combination of high CVSS score (8.8), practical attack vector, and the historical frequency of WebRTC vulnerabilities being exploited suggests this should be treated as a credible, active threat.
Remediation
The primary remediation is to update Google Chrome to version 149.0.7827.53 or later. Chrome auto-updates by default, but users should verify they are on the latest version by navigating to Settings > About > Google Chrome. Organizations managing Chrome via Mobile Device Management (MDM) or enterprise policies should push the update to all managed devices. For Windows, macOS, and Linux deployments, ensure automatic updates are enabled or manually trigger updates where policies permit. In parallel, organizations should consider restricting access to high-risk or untrusted websites and educating users about the risks of visiting suspicious links.
Patch guidance
Verify that all Chrome instances across your organization have been updated to 149.0.7827.53 or later. Chrome's built-in auto-update mechanism will handle most user devices, but verify through your IT asset inventory or endpoint detection and response (EDR) tools. For enterprise Chrome deployments (Chrome for Enterprise or Chromebook), use Google's update management tools to confirm rollout. Test the patch in a non-production environment first to ensure no compatibility issues with critical web applications. Document the patch deployment date and confirm rollback procedures are in place, though rollback is rarely necessary for security patches of this severity. If your organization uses Chrome in kiosk mode or special configurations, verify that updates do not break custom setups.
Detection guidance
Monitor for signs of exploitation by analyzing Chrome crash logs and renderer process anomalies. EDR/MDR solutions should flag any Chrome process spawning unexpected child processes or attempting unusual system calls, as this may indicate sandbox escape attempts. Web proxies and network monitoring can detect suspicious requests to malicious domains or unusual WebRTC signaling traffic. Consider deploying browser isolation technology in high-risk environments to prevent malware execution even if the vulnerability is exploited. Log successful and failed Chrome updates to ensure compliance with patching policies. Monitor for infection indicators such as unusual data exfiltration attempts or privilege escalation events correlated with Chrome usage patterns. Note that exploitation may leave minimal traces if confined to the sandboxed process; focus detection efforts on post-breach indicators.
Why prioritize this
CVE-2026-10975 warrants immediate patching due to its high CVSS score (8.8), practical exploitability (network-accessible, user-interaction only), and the widespread deployment of Chrome across enterprises and consumer devices. The vulnerability affects all major operating systems, making it a universal threat. While the sandbox provides a degree of containment, the ability to steal browser-resident data or use Chrome as a pivot point for lateral movement justifies urgent remediation. The lack of KEV inclusion does not reduce priority; it reflects data timing rather than true exploitability. Any organization using Chrome should patch within 48–72 hours; critical environments should prioritize even faster.
Risk score, explained
The CVSS 3.1 score of 8.8 (HIGH) reflects the combination of high attack complexity, network accessibility, low attack complexity (no special setup required), requirement for user interaction, and high impact across confidentiality, integrity, and availability. The vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H breaks down as: Attack Vector Network (AV:N) — attacker can craft a malicious web page; Attack Complexity Low (AC:L) — no special race conditions or timing; Privileges Required None (PR:N) — any user can be targeted; User Interaction Required (UI:R) — user must click a link or visit a page; Scope Unchanged (S:U) — impact is limited to the user's own Chrome process; Confidentiality High (C:H) — browser data can be stolen; Integrity High (I:H) — code execution allows unauthorized data modification; Availability High (A:H) — the process can be crashed or resources exhausted. The score appropriately reflects a critical browser vulnerability with practical real-world risk.
Frequently asked questions
Does Chrome's sandbox prevent this vulnerability from being dangerous?
The sandbox limits the attacker's ability to directly compromise the operating system or access other applications, but it does not prevent theft of data stored in Chrome—including cookies, cached credentials, autocomplete data, browsing history, and browser-resident secrets. An attacker can also use a successfully exploited Chrome process as a stepping stone for further attacks on the same user or network. In short, the sandbox reduces the severity but does not make the vulnerability safe to ignore.
Will Chrome update automatically on my device?
Chrome is configured to auto-update by default on Windows, macOS, and Linux. However, updates are typically applied when Chrome is restarted, not immediately upon release. To ensure immediate protection, restart your browser or check Settings > About > Google Chrome to trigger a manual check. Enterprise administrators should use Google's Chrome management tools to enforce immediate deployment across their fleet.
What if I use a Chromebook?
Chromebooks receive updates automatically through the OS update mechanism and do not require manual patching by the user. However, verify that your Chromebook is powered on and connected to the internet to receive updates. For managed Chromebooks in enterprise environments, IT administrators can force updates via the Google Admin Console.
Are other Chromium-based browsers like Edge or Brave affected?
Other Chromium-based browsers such as Microsoft Edge or Brave may be affected if they share the vulnerable WebRTC code. Check the official advisories from those vendors for specific patch information and timelines. Ensure all Chromium-based browsers in your environment are updated to patched versions.
This analysis is provided for informational purposes and is based on vulnerability data available as of the publication date. The information does not constitute legal, technical, or business advice. Organizations should verify all patch versions, affected product lists, and remediation steps against official vendor advisories and internal system inventories before deploying patches. Security risks and business impacts vary by organization; conduct your own risk assessment before prioritization decisions. No exploit code or proof-of-concept is provided; do not attempt to exploit this or any other vulnerability outside of authorized security testing environments. This page may be updated as new information becomes available. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10001HIGHChrome Sandbox Escape via PerformanceManager Use-After-Free
- CVE-2026-10002HIGHGoogle Chrome PDFium Use-After-Free Vulnerability (CVSS 8.8)
- CVE-2026-10003HIGHChrome Use-After-Free Code Execution Vulnerability Analysis
- CVE-2026-10007HIGHChrome Use-After-Free in SVG Arbitrary Code Execution (CVSS 8.8)
- CVE-2026-10012HIGHChrome Skia Use-After-Free Sandbox Escape (v148.0.7778.216)
- CVE-2026-10013HIGHUse-After-Free in Chrome WebCodecs – Patch Guide & Risk Assessment
- CVE-2026-10016HIGHUse-After-Free in Chrome DOM – Sandbox Code Execution Vulnerability
- CVE-2026-10882HIGHCritical Chrome Use-After-Free RCE Vulnerability – Exploit Details & Patch Guidance