HIGH 8.8

CVE-2026-10978: Chrome Chromoting Use-After-Free Code Execution Vulnerability

A use-after-free vulnerability in Google Chrome's Chromoting component allows attackers to execute arbitrary code on Windows systems. An attacker can trigger the flaw by sending specially crafted network traffic to a target who is using Chrome's remote desktop or remote assistance feature. Successful exploitation grants the attacker the same privileges as the Chrome process, potentially leading to complete system compromise. The vulnerability requires user interaction (for example, accepting a remote connection or visiting a malicious site that initiates Chromoting), but otherwise presents a direct path to code execution without requiring special system privileges or authentication.

Source data · NVD / CISA · public domain

CVSS
3.1 · 8.8 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-416
Affected products
2 configuration(s)
Published / Modified
2026-06-04 / 2026-06-17

NVD description (verbatim)

Use after free in Chromoting in Google Chrome on Windows prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code via malicious network traffic. (Chromium security severity: High)

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-10978 is a use-after-free memory vulnerability (CWE-416) in the Chromoting subsystem of Google Chrome prior to version 149.0.7827.53. Chromoting is Chrome's remote desktop and remote assistance component. The flaw stems from improper memory management, where freed memory is accessed after deallocation, leading to potential code execution. The CVSS 3.1 score of 8.8 (HIGH) reflects the network vector, low attack complexity, and severe impact on confidentiality, integrity, and availability. The vulnerability requires user interaction, preventing fully remote unauthenticated exploitation but remaining highly dangerous in realistic attack scenarios involving social engineering or cross-site request forgery.

Business impact

Organizations relying on Chrome Chromoting for remote support, employee remote assistance, or cross-platform remote access face immediate risk. A compromised Chrome process can lead to unauthorized access to sensitive data, lateral movement within corporate networks, deployment of malware, or business disruption. The requirement for user interaction means targeted phishing campaigns or deceptive social engineering can weaponize this vulnerability at scale. Remote work environments and support teams are particularly exposed. The vulnerability also affects the confidentiality and integrity of communications normally assumed secure under remote assistance scenarios.

Affected systems

Google Chrome on Windows systems running versions prior to 149.0.7827.53 are affected. The vulnerability is specific to Windows and manifests through the Chromoting remote desktop component. Other Chromium-based browsers and Chrome on other operating systems may require separate assessment. Microsoft Windows is listed as an affected product; however, Windows itself is not the source of the vulnerability—Chrome on Windows is the actual vulnerable software. Users and organizations should verify their Chrome version and apply the patch immediately.

Exploitability

Exploitability is high in practical terms despite the requirement for user interaction. An attacker can craft malicious network traffic and socially engineer a user into accepting a remote connection, visiting a compromised website that triggers Chromoting, or opening a malicious email attachment that initiates the vulnerability. The attack surface is broad because Chromoting is built into Chrome and accessible to any remote attacker who can send network packets to an affected browser. The low attack complexity and lack of privilege requirements mean that once user interaction occurs, exploitation is straightforward. While the vulnerability is not currently tracked on CISA's Known Exploited Vulnerabilities (KEV) catalog, this does not preclude active exploitation in the wild.

Remediation

Immediate action is required: update Google Chrome to version 149.0.7827.53 or later. Chrome includes automatic update functionality; verify that automatic updates are enabled in your environment. For enterprise deployments, use Chrome's group policy or configuration management tools to enforce the patch across all Windows systems. Users should manually check Settings > About Google Chrome to trigger an immediate update if automatic background updates are delayed. Once patched, the vulnerability is closed. No workarounds are available; patching is the only remediation.

Patch guidance

Verify your current Chrome version by navigating to chrome://version/ in the address bar. If the version is 149.0.7827.53 or later, you are patched. For automatic updates, allow Chrome to restart and apply patches; check Settings > About Google Chrome, which will automatically check for and apply updates. In enterprise environments, use Chrome's MSI installer with automatic update policies, or leverage third-party mobile device management (MDM) solutions to enforce version compliance. Schedule patch deployment during regular maintenance windows and confirm successful deployment across all endpoints. Test Chromoting functionality after patching to ensure remote access features remain operational.

Detection guidance

Monitor Chrome process memory access patterns and abnormal terminations or crashes in Chromoting sessions, which may indicate exploitation attempts. Implement endpoint detection and response (EDR) tools to flag suspicious activity within Chrome processes, including unexpected child process creation, registry modifications, or network connections outside normal remote desktop usage. Monitor for failed or anomalous Chromoting connection attempts, especially from unexpected sources. Log and alert on browser crashes or memory protection violations. Network-level detection is limited, but unusual spikes in remote desktop traffic or attempts to initiate Chromoting from suspicious IP addresses warrant investigation. Organizations should also monitor for post-exploitation indicators such as lateral movement or credential theft following confirmed Chromoting usage.

Why prioritize this

This vulnerability merits immediate prioritization due to its high CVSS score (8.8), direct path to arbitrary code execution, and applicability to widely deployed software (Chrome on Windows). While user interaction is required, realistic attack scenarios make this achievable through social engineering. The absence from the KEV catalog does not reduce urgency; threat actors actively hunt for recent Chrome vulnerabilities. Remote work environments and support organizations are high-value targets. Delaying patching exposes systems to compromise and creates risk for lateral movement, data exfiltration, and supply chain attacks.

Risk score, explained

The CVSS 3.1 score of 8.8 reflects: (1) network attack vector—remote exploitation is possible; (2) low attack complexity—no special conditions beyond user interaction are required; (3) no privilege escalation required—the attacker inherits Chrome process privileges; (4) user interaction required—moderate risk reduction, but achievable via phishing; (5) high confidentiality, integrity, and availability impact—arbitrary code execution enables complete compromise. The absence of scope change (local impact only) prevents a critical rating, but the score remains in the high-risk band and warrants immediate action.

Frequently asked questions

Does this vulnerability require a user to deliberately enable remote access, or can it be triggered silently?

The vulnerability requires user interaction, but not necessarily explicit remote access configuration. An attacker can craft network traffic to trigger Chromoting, and a user might unknowingly initiate a vulnerable code path through a malicious website, email link, or social engineering. It is not a completely passive vulnerability, but the barrier to exploitation is relatively low in realistic attack scenarios.

Are other Chromium-based browsers (Edge, Brave, Opera) affected by this vulnerability?

This vulnerability is specific to Google Chrome's Chromoting component. Other Chromium-based browsers may have similar components, but they are separate codebases. Check vendor advisories for Chromium-based browsers to determine if patches are available for analogous vulnerabilities. Edge, for example, should be assessed separately against Microsoft's security updates.

If I am not using Chromoting, am I at risk?

If you do not actively use Chromoting (remote assistance or remote desktop), your direct risk is lower. However, an attacker might trigger Chromoting through a malicious webpage or application without explicit user awareness. Additionally, system administrators who use Chromoting for employee support are at higher risk. Patching is recommended for all Windows Chrome users regardless of active Chromoting usage, as the best practice is to close the attack surface entirely.

What should I do if I suspect I have been exploited through this vulnerability?

Immediately isolate the affected system from the network to prevent lateral movement. Preserve logs and memory dumps if possible. Engage incident response and forensics teams to determine the scope of compromise, including data access and persistence mechanisms. Assume that an attacker who successfully exploited this vulnerability has access to Chrome's privileges and potentially more. Reset credentials for accounts accessed from the compromised system, scan for malware, and monitor for indicators of post-exploitation activity on the network.

This analysis is provided for informational purposes and should not be considered legal, technical, or business advice. Organizations should conduct their own risk assessments and consult with internal security teams and vendors. Patch timelines, compatibility, and implementation strategies vary by environment. SEC.co does not guarantee the accuracy or completeness of this analysis and is not responsible for decisions made based on this information. Always verify patch availability and compatibility with your specific Chrome and Windows versions through official Google and Microsoft channels before deployment. This vulnerability analysis reflects the state of knowledge as of the publication date and may be updated as new information becomes available. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).