HIGH 8.8

CVE-2026-11060: Critical Chrome Media Use-After-Free RCE on Windows

A use-after-free vulnerability exists in Google Chrome's media handling on Windows systems. An attacker can craft a malicious HTML page that, when visited by a user, exploits this flaw to execute arbitrary code within Chrome's sandbox. While the sandbox provides a layer of isolation, successful exploitation would still allow the attacker to run code with the privileges of the Chrome process, potentially leading to data theft, credential capture, or lateral movement to the system itself.

Source data · NVD / CISA · public domain

CVSS
3.1 · 8.8 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-416
Affected products
2 configuration(s)
Published / Modified
2026-06-04 / 2026-06-17

NVD description (verbatim)

Use after free in Media in Google Chrome on Windows prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium)

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-11060 is a use-after-free (CWE-416) vulnerability in the Media component of Google Chrome on Windows prior to version 149.0.7827.53. The flaw occurs when memory that has been freed is accessed again, allowing an attacker to manipulate heap state and achieve remote code execution. The vulnerability requires user interaction—the user must visit a crafted HTML page—but does not require any special privileges or system configuration. The attack vector is network-based and the impact spans confidentiality, integrity, and availability.

Business impact

Exploitation of this vulnerability could allow an attacker to execute code within a user's Chrome browser, even though it runs in a sandbox. An attacker could steal session cookies, harvest credentials, exfiltrate sensitive data from browser storage, or pivot to attack other systems on the network. For organizations where Chrome is the primary browser, particularly those handling sensitive information, this poses a material risk. Affected users need not take any unusual action beyond visiting a web page, making drive-by compromise feasible at scale.

Affected systems

Google Chrome on Windows versions prior to 149.0.7827.53 are vulnerable. The vulnerability is specific to the Windows platform and the Media processing subsystem. Users of other Chromium-based browsers may also be affected depending on their version; verify with the relevant vendor. macOS and Linux users running affected Chrome versions should check their patch status with Google, though this CVE description is Windows-specific.

Exploitability

This vulnerability has a network attack vector and requires only user interaction (visiting a web page), making it highly exploitable in practice. An attacker does not need authentication or special system privileges. The CVSS score of 8.8 reflects these factors. However, exploitation is not passive—the attacker must host or inject a malicious page and convince or trick users into visiting it. The sandbox mitigation reduces (but does not eliminate) the risk of full system compromise. No public exploit code or active exploitation has been confirmed at this time, and the vulnerability is not yet listed on the CISA Known Exploited Vulnerabilities catalog.

Remediation

Update Google Chrome to version 149.0.7827.53 or later on all Windows systems. This patch addresses the use-after-free flaw in the Media component. Users should enable automatic updates if not already enabled. Organizations should prioritize patching systems used by high-value targets (executives, researchers, developers) who may be targeted by sophisticated attackers, and then roll out patches broadly.

Patch guidance

Verify that Chrome updates to version 149.0.7827.53 or later have been deployed. On Windows, navigate to Chrome menu > Help > About Google Chrome to check the current version and trigger automatic updates if available. For enterprise environments, use Chrome policies or a patch management system to enforce the latest version. Test patches in a non-production environment first if your organization has complex Chrome configurations. Verify that users cannot downgrade to unpatched versions through policy settings.

Detection guidance

Monitor for Chrome crash dumps or security logs that reference Media component processing of malformed HTML. Network-level detection is difficult since the attack payload is typically embedded in HTML. Focus on behavioral detection: monitor for unusual child processes spawned by Chrome, unexpected network connections from Chrome, or attempts to access credential storage. Endpoint detection and response (EDR) tools should flag suspicious Chrome subprocess activity. Log Chrome updates to verify timely patching and identify systems still running versions prior to 149.0.7827.53.

Why prioritize this

The CVSS score of 8.8 (HIGH) combined with a low barrier to exploitation (network vector, user interaction only, no privileges required) makes this a priority for patching. While the sandbox provides some containment, the confidentiality and integrity impact is significant. Organizations should prioritize patching within 2–4 weeks, sooner if users are likely targets of nation-state or organized threat actors. The absence of known active exploitation should not delay patching, as public disclosure will attract attacker attention.

Risk score, explained

The CVSS 3.1 vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H yields a score of 8.8 (HIGH). Attack Vector (Network) and Attack Complexity (Low) indicate easy remote triggering. No Privileges (PR:N) and User Interaction (Required) reflect that the victim must visit a page but no special account or system state is needed. Scope Unchanged means impact is limited to the Chrome process. Confidentiality, Integrity, and Availability all rated High reflect full compromise of the sandboxed process and potential data exfiltration.

Frequently asked questions

Will Chrome's sandbox prevent all harm if I visit a malicious page?

The sandbox significantly limits the damage by isolating the compromised Chrome process from direct system access. However, an attacker exploiting this use-after-free can still steal data from within that process—including session tokens, autofill data, and cached passwords—or use the compromised process as a beachhead for further attacks. The sandbox is a mitigation, not a complete prevention.

Do I need to worry if I only use Chrome for non-sensitive browsing?

If you use Chrome to access email, banking, social media, or any account-based service, that session data is at risk if you visit a malicious page before patching. Even 'non-sensitive' browsing can expose authentication tokens. We recommend patching all users regardless of their browsing habits, since it is difficult to predict attack vector in advance.

How quickly should my organization patch this?

Patch within 2–4 weeks as part of normal security operations. If your organization is a likely target (financial services, government, media, technology), prioritize higher-value users (leadership, engineers) within 1–2 weeks. The vulnerability is not yet actively exploited at scale, but public disclosure will draw attacker interest.

Are other Chromium-based browsers affected?

Potentially yes, depending on the version of Chromium they are built on. Microsoft Edge, Brave, Opera, and other Chromium derivatives may be vulnerable if they use an older Chromium version. Check with the vendor of each browser for their patched versions, and apply updates according to your organization's browser deployment.

This analysis is based on publicly available information as of the modification date (2026-06-17). Patch version numbers and affected product versions are accurate to the vendor advisories referenced. Security circumstances and threat landscape change; re-evaluate risk periodically. No exploit code is provided or referenced. Organizations should consult with their own security teams and vendor advisories before making patching decisions. SEC.co makes no warranty regarding the completeness or timeliness of this analysis. Source: NVD (public-domain), retrieved 2026-07-12. Analysis generated by SEC.co (claude-haiku-4-5).