CVE-2026-11115: Chrome Windows Use-After-Free Privilege Escalation Vulnerability
A use-after-free vulnerability exists in Google Chrome's update mechanism on Windows systems. An attacker with local access can exploit this flaw by crafting a malicious file, potentially escalating their privileges to system or administrator level. The vulnerability affects Chrome versions before 149.0.7827.53 and requires user interaction (such as opening or running a file) to trigger the exploit.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.3 HIGH · CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-416
- Affected products
- 2 configuration(s)
- Published / Modified
- 2026-06-04 / 2026-06-17
NVD description (verbatim)
Use after free in Updater in Google Chrome on Windows prior to 149.0.7827.53 allowed a local attacker to perform OS-level privilege escalation via a malicious file. (Chromium security severity: Medium)
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-11115 is a use-after-free vulnerability (CWE-416) in the Chrome Updater component running on Windows. The flaw allows a local, low-privileged attacker to achieve arbitrary code execution with elevated privileges. The vulnerability stems from improper memory management where a freed object is accessed after deallocation. Exploitation requires local code execution context and user action to complete the attack chain, but once triggered, the impact is complete system compromise.
Business impact
Successful exploitation enables a local attacker to elevate privileges and gain system-level control of affected Windows machines. For organizations, this poses a significant risk to endpoint security, particularly in multi-user or shared-device environments. An attacker could install malware, exfiltrate sensitive data, modify system configurations, or use the compromised system as a pivot point for lateral movement within corporate networks.
Affected systems
Google Chrome versions prior to 149.0.7827.53 running on Microsoft Windows systems are vulnerable. This includes consumer and enterprise deployments. The vulnerability requires local access, so the risk is highest on shared workstations, kiosks, or systems where non-administrative users can execute files or interact with the Chrome update process.
Exploitability
Exploitability is moderate. An attacker needs local system access and the ability to place or trigger a malicious file, plus user interaction to complete the attack. The vulnerability is not remotely exploitable and does not appear on the CISA KEV catalog, suggesting active exploitation in the wild has not been widely documented at the time of publication. However, the technical barrier to exploitation is relatively low once local access is established.
Remediation
Immediately update Google Chrome to version 149.0.7827.53 or later on all Windows systems. Verify the update deployment across your organization, especially on critical workstations and shared devices. Chrome's automatic update mechanism should deploy this patch, but forced distribution through enterprise policy is recommended to ensure full coverage.
Patch guidance
Deploy Chrome version 149.0.7827.53 or later. For enterprise environments, use Google Chrome's enterprise update policies or third-party patch management solutions to enforce the update. Verify successful patching by checking Chrome's 'About Chrome' page (chrome://settings/help) on affected systems. Test patches in a non-production environment first to confirm compatibility with any custom Chrome configurations or extensions your organization relies on.
Detection guidance
Monitor for execution of suspicious files in user-writable directories, particularly those that interact with the Chrome update mechanism. Track process creation events where the Chrome Updater (GoogleUpdate.exe or related processes) spawns unexpected child processes. Implement application whitelisting for update-related binaries. In Windows event logs, look for privilege escalation indicators following Chrome-related process activity. Advanced endpoint detection should flag anomalous memory access patterns in Chrome processes if behavioral monitoring is available.
Why prioritize this
This vulnerability merits high priority due to its HIGH CVSS score (7.3) and local privilege escalation impact. While it requires local access and user interaction, the consequences—complete system compromise—are severe. In endpoint-heavy organizations, the cumulative risk across many machines is substantial. The fact that it is not yet on the KEV catalog suggests a narrow window before active exploitation becomes widespread; early patching is prudent.
Risk score, explained
The CVSS v3.1 score of 7.3 reflects the high impact (confidentiality, integrity, and availability all compromised) balanced against the requirement for local access and low privileges. The attack vector is local (AV:L), attack complexity is low (AC:L), minimal privileges are needed (PR:L), user interaction is required (UI:R), and scope is unchanged (S:U). This combination yields a HIGH severity rating appropriate for a privilege escalation flaw on Windows endpoints.
Frequently asked questions
Do I need to manually update Chrome, or will it update automatically?
Chrome typically updates automatically in the background. However, the update may require a browser restart to take effect. To force an immediate check, navigate to chrome://settings/help, which will check for and download pending updates. For enterprises managing Chrome centrally, confirm that your update policies are configured to push version 149.0.7827.53 or later promptly.
What if we use Chromium instead of Chrome—are we affected?
CVE-2026-11115 is specific to Google Chrome. Chromium and Chrome share a common codebase, but patch versions and release cycles differ. Check your Chromium release notes to determine if a corresponding fix has been released. Verify the specific Chromium version you use against the official Chromium security releases page.
Can this vulnerability be exploited remotely or only locally?
This flaw requires local access to the system. Remote exploitation is not possible. However, if an attacker has already gained local or network access (via phishing, compromised credentials, or another vulnerability), they could leverage this flaw to elevate their privileges from a low-privilege user to system level.
Is there a workaround if we cannot patch immediately?
There is no complete workaround, but risk can be reduced by restricting user ability to interact with files or the update mechanism, disabling auto-update if managed locally (though not recommended long-term), and enforcing strong access controls to prevent low-privilege code execution. These are temporary measures; patching is the definitive fix.
This analysis is provided for informational purposes and reflects the vulnerability details available as of the publication date. Exploitation details, active campaigns, and threat landscape may evolve. Always verify patch availability and applicability through official vendor advisories. SEC.co makes no warranty as to the completeness or timeliness of this information. Organizations should conduct their own risk assessments and testing before deploying patches in production environments. Source: NVD (public-domain), retrieved 2026-07-12. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10000HIGHChrome Sandbox Escape via Use-After-Free in Password Handling
- CVE-2026-10001HIGHChrome Sandbox Escape via PerformanceManager Use-After-Free
- CVE-2026-10002HIGHGoogle Chrome PDFium Use-After-Free Vulnerability (CVSS 8.8)
- CVE-2026-10003HIGHChrome Use-After-Free Code Execution Vulnerability Analysis
- CVE-2026-10007HIGHChrome Use-After-Free in SVG Arbitrary Code Execution (CVSS 8.8)
- CVE-2026-10012HIGHChrome Skia Use-After-Free Sandbox Escape (v148.0.7778.216)
- CVE-2026-10013HIGHUse-After-Free in Chrome WebCodecs – Patch Guide & Risk Assessment
- CVE-2026-10016HIGHUse-After-Free in Chrome DOM – Sandbox Code Execution Vulnerability