CVE-2026-11096: Chrome WebRTC Out-of-Bounds Read
A memory reading flaw in Chrome's WebRTC component allows attackers to trick users into visiting a malicious webpage that steals sensitive data from the browser's memory. The vulnerability requires user interaction (clicking a link or visiting a site) but needs no special privileges, making it a practical attack vector for information theft. Google patched this in Chrome version 149.0.7827.53 and later.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 6.5 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
- Weaknesses (CWE)
- CWE-125
- Affected products
- 4 configuration(s)
- Published / Modified
- 2026-06-04 / 2026-06-17
NVD description (verbatim)
Out of bounds read in WebRTC in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium)
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-11096 is an out-of-bounds read vulnerability (CWE-125) in the WebRTC implementation within Chrome. The flaw permits remote code execution contexts to read beyond allocated memory boundaries, potentially exposing process memory contents to attackers. The vulnerability is network-reachable, requires minimal attacker complexity, and relies on user interaction via a crafted HTML page. With a CVSS 3.1 score of 6.5 (Medium), it scores high on confidentiality impact but carries no integrity or availability consequences.
Business impact
This vulnerability primarily threatens data confidentiality for Chrome users. Attackers can harvest authentication tokens, session cookies, cached credentials, or other sensitive information resident in memory during an active browsing session. While not leading to system compromise or denial of service, the information disclosure can enable secondary attacks such as account takeover or lateral movement. Organizations with high-value users—executives, developers, security staff—face elevated risk from targeted campaigns exploiting this flaw.
Affected systems
The vulnerability affects Chrome versions prior to 149.0.7827.53 running on Windows, macOS, and Linux systems. WebRTC is a core browser component, so all Chrome installations with WebRTC enabled (the default configuration) are in scope. While the CVE lists additional OS vendors (Apple macOS, Linux kernel, Microsoft Windows), the root cause resides in Chrome itself; remediation requires a Chrome update rather than OS-level patches.
Exploitability
Exploitability is moderate to high in real-world scenarios. The attack requires no authentication, runs at network scope, and only needs a user to open a malicious webpage—a low friction barrier given social engineering and drive-by attacks. However, the vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog, indicating no confirmed active exploitation as of the last update. The barrier to weaponization is likely low for sophisticated attackers familiar with memory layouts and WebRTC internals.
Remediation
Users must update Chrome to version 149.0.7827.53 or later. Chrome's auto-update mechanism typically delivers patches within days, but administrators should verify deployment in enterprise environments. No workarounds exist; disabling WebRTC is impractical for most users since it supports legitimate video/audio conferencing features. Patching is the only reliable mitigation.
Patch guidance
Deploy Chrome 149.0.7827.53 or later across all managed systems. Verify the update via Chrome Settings > About Chrome, which triggers an automatic check and displays the current version. For enterprise deployments, use Chrome policies to enforce minimum version requirements (ChromeMinimumVersionRequired policy on Windows/Mac, or equivalent mechanisms on Linux). Test the update in a pilot group before full rollout to catch compatibility issues. Prioritize user-facing roles and high-value targets within 48–72 hours of patch availability.
Detection guidance
Monitor for process crashes or anomalous WebRTC behavior in browser telemetry. Look for suspicious JavaScript payloads delivered via email, chat, or web requests that reference WebRTC APIs or memory-adjacent operations. Network detection is limited since the attack vector is localized to the browser; focus on endpoint telemetry. EDR solutions should flag unusual memory access patterns within the Chrome process or unexpected child process spawning. User reports of unexpected browser slowdowns or memory spikes during WebRTC-heavy activities warrant investigation.
Why prioritize this
While the CVSS score is Medium (6.5), the practical risk warrants swift patching due to the low interaction complexity, network reachability, and potential for information theft at scale. The absence of KEV listing suggests the vulnerability is not yet widely weaponized, presenting a window to patch before mass exploitation. Chrome users handling sensitive data—credentials, financial records, intellectual property—should be prioritized, followed by general user populations.
Risk score, explained
The CVSS 3.1 score of 6.5 reflects high confidentiality impact (C:H), no integrity or availability impact (I:N, A:N), network attack vector (AV:N), low attack complexity (AC:L), no privilege requirement (PR:N), and user interaction dependency (UI:R). The score appropriately captures that attackers can steal data but cannot modify systems or disrupt service. In context, the low barrier to user interaction and the prevalence of Chrome in enterprise and consumer environments elevate the real-world risk above the numerical score alone.
Frequently asked questions
Do I need to do anything if I'm using Chrome's automatic updates?
Chrome's auto-update feature typically deploys patches within 24–48 hours. Check your version in Settings > About Chrome to confirm you're on 149.0.7827.53 or later. If auto-updates are enabled and your browser has restarted, you're likely protected. However, verify to be certain, especially in enterprise settings where updates may be staged.
What data can an attacker actually steal with this vulnerability?
An attacker can read process memory adjacent to WebRTC buffers, potentially exposing authentication tokens, session cookies, cached passwords, recently entered form data, or other sensitive values in memory. The scope depends on what sensitive data the user's browser is holding at the moment the malicious page is visited. High-risk targets include users logged into banking, email, or corporate applications.
Why isn't this vulnerability on CISA's KEV list despite the medium score?
CISA adds vulnerabilities to the KEV catalog only when there is confirmed evidence of active exploitation in the wild. As of the last update, no public exploits or confirmed attacks for CVE-2026-11096 were reported. This does not mean the vulnerability is low-risk; it simply means active weaponization has not been documented. Patching should not be delayed waiting for KEV listing.
Can I disable WebRTC to avoid this vulnerability?
Disabling WebRTC is technically possible via browser flags or extensions, but it breaks legitimate features like Google Meet, Zoom, and other video conferencing tools. Instead, upgrade to the patched Chrome version. For high-security environments where WebRTC is not essential, disabling it is a defense-in-depth measure, but patching is the standard mitigation.
This analysis is based on publicly available vulnerability data as of the publication date. CVSS scores and exploit status may evolve; consult official vendor advisories and CISA alerts for real-time updates. Patch version numbers and affected software versions should be verified against Google's official Chrome release notes and security advisories before deployment. This assessment does not constitute a comprehensive security audit and should be supplemented with organization-specific risk evaluation and threat modeling. Source: NVD (public-domain), retrieved 2026-07-12. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2026-10998MEDIUMChrome Media Out-of-Bounds Memory Read Vulnerability
- CVE-2026-11004MEDIUMChrome ANGLE Out-of-Bounds Read Memory Disclosure
- CVE-2026-11006MEDIUMChrome Out-of-Bounds Read in Dawn Graphics API—Urgent Patch Required
- CVE-2026-11075MEDIUMOut-of-Bounds Read in Chrome V8 Engine – Memory Disclosure Vulnerability
- CVE-2026-11090MEDIUMChrome ANGLE Memory Leak Enables Cross-Origin Data Theft
- CVE-2026-9953MEDIUMChrome ANGLE Out-of-Bounds Memory Read Information Disclosure
- CVE-2026-10889HIGHCritical ANGLE Sandbox Escape in Google Chrome – Patch to 149.0.7827.53
- CVE-2026-10927HIGHChrome Sandbox Escape via Dawn Out-of-Bounds Read