CVE-2026-11074: Use-After-Free in Chrome WebRTC on Linux (CVSS 8.8)
A use-after-free vulnerability in Google Chrome's WebRTC component on Linux systems allows attackers to execute arbitrary code if a user visits a specially crafted webpage. The vulnerability stems from improper memory management in the WebRTC implementation, where code attempts to access memory that has already been freed. This can be exploited remotely without requiring special user privileges, though user interaction (visiting a malicious page) is necessary. The issue affects Chrome versions prior to 149.0.7827.53 on Linux.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.8 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-416
- Affected products
- 2 configuration(s)
- Published / Modified
- 2026-06-04 / 2026-06-17
NVD description (verbatim)
Use after free in WebRTC in Google Chrome on Linux prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: Medium)
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-11074 is a use-after-free vulnerability (CWE-416) in the WebRTC component of Google Chrome on Linux. The flaw allows a remote attacker to trigger arbitrary code execution through a crafted HTML page. The vulnerability requires user interaction in the form of visiting a malicious webpage, but no additional authentication or system privileges are needed for exploitation. The attack vector is network-based, the attack complexity is low, and the confidentiality, integrity, and availability impacts are all rated as high in the CVSS assessment.
Business impact
Successful exploitation of this vulnerability could result in complete compromise of affected user accounts and systems. An attacker gaining code execution with user privileges can steal sensitive data, install malware, modify files, or pivot to other systems on the network. Organizations with Linux-based workforces, particularly those using Chrome as a primary browser, should consider the risk to employee productivity and data security. Supply chain and third-party web application risks also increase if users access untrusted or compromised websites. The remediation timeline is critical given the high CVSS score and ease of exploitation.
Affected systems
This vulnerability specifically impacts Google Chrome running on Linux systems with versions prior to 149.0.7827.53. While the Linux kernel is listed as an affected product, the actual vulnerability resides in Chrome's WebRTC implementation rather than the kernel itself. Systems running Chrome on other operating systems (Windows, macOS) are not affected by this particular vulnerability. Any organization deploying Chrome on Linux infrastructure—including development environments, customer-facing services, and employee workstations—should prioritize patching.
Exploitability
The vulnerability is highly exploitable in real-world scenarios. It requires no special privileges, network authentication, or complex attack setup; an attacker simply needs to trick a user into visiting a malicious webpage. Attack complexity is low, indicating that exploitation does not require precise conditions or timing. The primary barrier to exploitation is user interaction, but this is a common and well-understood vector in web-based attacks. The lack of KEV (Known Exploited Vulnerability) designation does not diminish the practical risk, as the attack surface—user web browsing—is extremely broad.
Remediation
Organizations should immediately update Google Chrome on all Linux systems to version 149.0.7827.53 or later. Verify the installed Chrome version through the Settings menu (Settings > About Chrome), which will trigger an automatic update check. For enterprises managing Chrome deployments, policy-based updates through Google Admin or similar management platforms should be prioritized. Until patching is complete, consider restricting access to untrusted websites, disabling WebRTC in user policies if feasible for your workflow, or increasing user awareness training around phishing and malicious link risks.
Patch guidance
Apply Chrome version 149.0.7827.53 or later on all Linux systems. Chrome typically auto-updates, but verify completion by navigating to chrome://settings/help to force an update check. For enterprise deployments, use managed policies to push updates across your fleet. Document the patch date and version deployed for compliance and audit purposes. No additional kernel updates are required unless your Linux distribution has independently released WebRTC-related patches for the kernel.
Detection guidance
Monitor Chrome version numbers across your Linux estate using endpoint detection tools or browser telemetry. Look for process execution or network connections initiated from older Chrome versions (pre-149.0.7827.53) accessing suspicious or unexplained domains. Behavioral indicators of exploitation may include unexpected child processes spawned from Chrome, elevated privilege requests, or unusual file modifications following a user's web browsing session. Network-level detection is limited given the remote, user-interaction-driven nature of the attack, but unusual WebRTC traffic patterns or audio/video device access by Chrome may warrant investigation in high-security environments.
Why prioritize this
This vulnerability merits immediate remediation priority due to the combination of high CVSS score (8.8), remote exploitability, low attack complexity, and high confidentiality and integrity impact. The requirement for user interaction is the only limiting factor, but this is a standard barrier in web-based attacks and does not significantly reduce practical risk. The absence from the KEV catalog suggests it is not yet being actively exploited at scale, providing a window of opportunity to patch before threat actors weaponize it widely.
Risk score, explained
The CVSS v3.1 score of 8.8 (HIGH) reflects the vulnerability's dangerous profile: remote network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), and user interaction needed (UI:R). All impact metrics are rated High—an attacker can compromise confidentiality (read sensitive data), integrity (modify or delete data), and availability (crash or lock systems). While Chromium's internal severity rating is Medium (likely reflecting defense-in-depth protections in the browser sandbox), the CVSS assessment appropriately captures the end-to-end risk when an attacker successfully exploits the use-after-free condition.
Frequently asked questions
Will updating Chrome automatically protect me, or do I need to manually trigger the patch?
Chrome is designed to auto-update, but updates may not apply immediately upon release. Visit chrome://settings/help to manually trigger an update check and force installation of version 149.0.7827.53 or later. Restart Chrome after the update completes to ensure the patched version is running.
Does this vulnerability affect Chrome on Windows or macOS?
No. This vulnerability is specific to Chrome on Linux due to how WebRTC memory management differs on that platform. Users on Windows and macOS are not affected by CVE-2026-11074. However, they should maintain current patch levels for other platform-specific vulnerabilities.
What is a use-after-free vulnerability and why is it dangerous?
A use-after-free occurs when code accesses memory that has already been deallocated. This can allow an attacker to read, modify, or overwrite that memory with malicious data, potentially leading to code execution. In WebRTC, this could corrupt video/audio processing state or browser internals, giving attackers a pathway to arbitrary code execution within the Chrome process.
Is there a workaround if I cannot update Chrome immediately?
Workarounds are limited but may include: disabling WebRTC in Chrome flags (chrome://flags), avoiding untrusted websites, using a browser policy to restrict access to high-risk domains, or temporarily using an alternative browser. However, these are temporary measures—patching is the only reliable fix.
This analysis is based on publicly disclosed vulnerability information as of June 2026. Patch version numbers and timelines should be verified against the official Google Chrome security advisory and release notes. No exploit code or weaponized proof-of-concept is provided. Organizations should conduct internal testing of patches in non-production environments before full deployment. The absence of a KEV designation does not guarantee the vulnerability is not being exploited; threat intelligence and incident response teams should monitor for active exploitation signs. This information is provided for educational and defensive security planning purposes only. Source: NVD (public-domain), retrieved 2026-07-12. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10001HIGHChrome Sandbox Escape via PerformanceManager Use-After-Free
- CVE-2026-10002HIGHGoogle Chrome PDFium Use-After-Free Vulnerability (CVSS 8.8)
- CVE-2026-10003HIGHChrome Use-After-Free Code Execution Vulnerability Analysis
- CVE-2026-10007HIGHChrome Use-After-Free in SVG Arbitrary Code Execution (CVSS 8.8)
- CVE-2026-10012HIGHChrome Skia Use-After-Free Sandbox Escape (v148.0.7778.216)
- CVE-2026-10013HIGHUse-After-Free in Chrome WebCodecs – Patch Guide & Risk Assessment
- CVE-2026-10016HIGHUse-After-Free in Chrome DOM – Sandbox Code Execution Vulnerability
- CVE-2026-10882HIGHCritical Chrome Use-After-Free RCE Vulnerability – Exploit Details & Patch Guidance