HIGH 8.8

CVE-2026-11000: Chrome Font Use-After-Free Remote Code Execution on Linux

A use-after-free vulnerability in Google Chrome's font handling on Linux allows attackers to execute arbitrary code within the browser's sandbox by tricking users into visiting a specially crafted webpage. The vulnerability affects Chrome versions before 149.0.7827.53 and requires user interaction (clicking a link or viewing a page) to trigger, but carries no special privilege requirements.

Source data · NVD / CISA · public domain

CVSS
3.1 · 8.8 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-416
Affected products
2 configuration(s)
Published / Modified
2026-06-04 / 2026-06-17

NVD description (verbatim)

Use after free in Fonts in Google Chrome on Linux prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium)

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-11000 is a use-after-free condition (CWE-416) in Chrome's font rendering subsystem on Linux platforms. The flaw allows an attacker to craft malicious HTML that, when processed by the browser, causes the font handler to reference memory that has already been freed. This memory safety error can be exploited to achieve arbitrary code execution within the Chrome sandbox context. The sandbox isolation means the initial breach is contained to the Chrome process, though sandbox escapes remain a secondary concern for defense-in-depth planning.

Business impact

Successful exploitation could allow attackers to steal sensitive data from users' browsing sessions, inject malware, or establish persistent access to systems. Organizations with Linux-based developer workstations, security researchers, or users on Linux desktops face elevated risk. The requirement for user interaction (visiting a malicious site) makes this suitable for targeted phishing campaigns or watering hole attacks against specific user communities.

Affected systems

Google Chrome on Linux is directly affected in all versions prior to 149.0.7827.53. The vulnerability does not affect Chrome on Windows or macOS based on the vendor advisory scope. Linux kernel itself is listed in the affected products dataset but the vulnerability is specific to Chrome's font handling, not the kernel. Organizations should verify their Chrome version and Linux distribution status against the official Chrome release notes.

Exploitability

The attack requires user interaction and network access but no authentication or elevated privileges. An attacker needs only to craft a malicious HTML page and lure a user to visit it—via email, compromised website, or other social engineering vectors. The fact that code execution occurs within a sandbox limits post-exploitation reach but does not eliminate the threat; sandbox bypasses and secondary payloads remain feasible attack paths. The vulnerability is not currently listed in the CISA Known Exploited Vulnerabilities catalog, suggesting active in-the-wild exploitation has not been widely documented as of the advisory date.

Remediation

Update Google Chrome to version 149.0.7827.53 or later. The update is available through Chrome's automatic update mechanism; users can manually verify their version via chrome://settings/help. For organizations managing Chrome deployments, ensure patch deployment policies trigger promptly upon release. Linux administrators should also confirm their distributions have provided any supplementary security updates, though the primary remediation is the Chrome version upgrade.

Patch guidance

Verify that Google Chrome updates automatically on your systems, or manually trigger updates via Settings > About Google Chrome > Check for Updates. Confirm successful patching by checking chrome://version and verifying the version number is 149.0.7827.53 or higher. For enterprise deployments, use Chrome's device management policy to enforce minimum version requirements and track rollout progress. Test the patch in a non-production environment if your organization has critical web applications that depend on specific Chrome versions.

Detection guidance

Monitor Chrome version inventory across your fleet to identify systems running versions prior to 149.0.7827.53. Endpoint detection and response (EDR) tools should monitor for unusual font-handling processes or memory access patterns, though detection at exploitation time is challenging due to sandbox containment. Network-level detection is limited; focus instead on preventing user access to known malicious domains via threat intelligence feeds and DNS filtering. Log authentication attempts and data exfiltration from compromised user sessions if breach is suspected.

Why prioritize this

This vulnerability merits high priority due to its network-reachable attack surface, high CVSS score (8.8), and potential for arbitrary code execution. Although sandboxing limits immediate damage, the requirement for only user interaction and no privileges makes it suitable for large-scale phishing campaigns. Organizations should prioritize patching systems used by high-value targets (executives, engineers, researchers) and those with browsing access to untrusted content. The absence of active public exploitation in KEV does not reduce urgency; it reflects a lag in threat intelligence rather than actual risk.

Risk score, explained

The CVSS 3.1 score of 8.8 (HIGH severity) reflects a network-reachable attack vector, low attack complexity, and no privilege requirements, balanced against the requirement for user interaction and the sandbox containment. Confidentiality, integrity, and availability impacts are all rated as high because successful exploitation allows arbitrary code execution within the user's browsing context, enabling data theft, malware installation, or denial of service. The sandbox does not reduce the CVSS score but is an important secondary control for defense depth.

Frequently asked questions

Why does this affect Linux but not Windows or macOS?

The vulnerability is in Chrome's font rendering code path, which may have platform-specific implementations. Chromium's font handling differs by OS; the Linux version of this particular code path contains the use-after-free bug. Windows and macOS versions may use different libraries or memory management patterns that avoid the issue. Always verify the vendor advisory for specific platform coverage.

What does 'use after free' mean and why is it serious?

A use-after-free occurs when code tries to access memory that has already been released back to the operating system. Attackers can exploit this by placing malicious data in the freed memory, and when the vulnerable code accesses it, arbitrary code can be executed. This is one of the most dangerous memory safety flaws and is a common target for browser exploits.

Does the Chrome sandbox prevent all attacks from this vulnerability?

The sandbox prevents the malicious code from directly accessing the file system, network, or system resources. However, it is a security boundary, not an impenetrable wall. Sandbox escapes (secondary vulnerabilities that break out of the sandbox) have been discovered historically. Defense-in-depth requires both timely patching of this vulnerability and ongoing monitoring for sandbox escape techniques.

Is this vulnerability being actively exploited in the wild?

As of the advisory date, this vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog. This does not guarantee absence of exploitation; it reflects the current state of public threat intelligence. Organizations should assume it could be targeted in advanced phishing campaigns or zero-day-like attacks against specific victims and treat it as high priority regardless.

This analysis is based on publicly available vulnerability data and vendor advisories current as of the publication date. Patch version numbers, affected product lists, and severity ratings are sourced from official Chromium and vendor channels; verify against the latest advisories before deployment. No exploit code or weaponization techniques are provided. Organizations should conduct independent risk assessment and testing before deploying patches to production systems. SEC.co makes no warranties regarding the completeness or accuracy of this information and is not liable for damages arising from its use or misuse. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).