HIGH 8.8

CVE-2026-11116: Chrome Chromoting Use-After-Free Remote Code Execution

Google Chrome contains a use-after-free memory vulnerability in its Chromoting remote desktop feature that can be triggered by malicious network traffic. An attacker can send specially crafted packets to a targeted user, leading to arbitrary code execution on the victim's machine. The vulnerability requires user interaction—specifically, the user must be engaged in an active Chromoting session—but once triggered, it grants the attacker the same privileges as the Chrome process.

Source data · NVD / CISA · public domain

CVSS
3.1 · 8.8 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-416
Affected products
4 configuration(s)
Published / Modified
2026-06-04 / 2026-06-17

NVD description (verbatim)

Use after free in Chromoting in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code via malicious network traffic. (Chromium security severity: Medium)

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-11116 is a use-after-free vulnerability (CWE-416) in Google Chrome's Chromoting component prior to version 149.0.7827.53. The flaw occurs when Chromoting fails to properly manage object lifetime during network message handling. An attacker exploiting this can craft malicious network traffic that causes the application to reference freed memory, leading to code execution with HIGH severity (CVSS 8.8). The attack vector is network-based with low complexity, though user interaction is required—the target must have an active Chromoting session.

Business impact

Organizations relying on Chrome Remote Desktop for IT support, helpdesk operations, or employee remote access face direct compromise risk. Successful exploitation allows attackers to bypass Chrome's sandbox protections and execute arbitrary code on end-user machines, potentially leading to lateral movement into corporate networks, credential theft, or malware deployment. The requirement for an active Chromoting session means targeted attacks (phishing users into believing they need tech support) are more likely than mass exploitation. Affected employees using Windows, macOS, or Linux workstations are equally at risk.

Affected systems

Google Chrome versions before 149.0.7827.53 are vulnerable. The flaw affects Chrome on Windows, macOS, and Linux systems. Chromoting users on any of these platforms are in scope. Other Chromium-based browsers may inherit this vulnerability depending on their version and inclusion of Chromoting functionality. Apple Safari and Firefox users are not affected. The vulnerability does not impact the Chrome OS platform itself in the same manner, though Chromebook users connecting to affected Chrome instances remain at risk.

Exploitability

The vulnerability requires network access and user interaction, reducing the likelihood of opportunistic mass exploitation. However, the attack is practical: an attacker must convince a user to initiate or remain in a Chromoting session, then deliver malicious network traffic—feasible via a compromised relay server, network man-in-the-middle position, or by establishing a Chromoting connection under false pretenses. Once triggered, code execution is reliable. The flaw has not been reported in active exploitation in the wild, but the straightforward attack chain and moderate barrier to entry (social engineering plus network capability) mean threat actors will likely develop exploits post-disclosure if they haven't already.

Remediation

Users and administrators must update Chrome to version 149.0.7827.53 or later. Automatic updates are enabled by default in Chrome; verify completion by navigating to chrome://settings/help. For organizations, deployment via MDM/GPO policies ensures timely patching. Until patching is complete, users should avoid initiating Chromoting sessions with untrusted or unverified sources. Disable Chromoting if not actively needed, and isolate systems used for sensitive work from untrusted networks.

Patch guidance

Google Chrome 149.0.7827.53 and later versions contain the fix. Organizations using Chrome Fleet or device management tools should deploy updates within 48–72 hours of release to production users. Verify patch status by checking chrome://settings/help in each user's browser; it should report version 149.0.7827.53 or higher. For enterprise deployments, test the patched version in a pilot group before full rollout. Rollback is not recommended unless a critical regression is identified; instead, apply the patch as soon as possible.

Detection guidance

Monitor for suspicious Chromoting connection attempts, including connections from unexpected IP addresses or at unusual times. Log Chromoting events in environments where Chrome logging is enabled. Watch for crash reports or instability in Chrome processes, which may indicate exploitation attempts. If network telemetry is available, identify and inspect malformed Chromoting protocol traffic. EDR tools should alert on Chrome process spawning child processes with elevated privileges or accessing sensitive system resources. Check for lateral movement or credential access following Chromoting session timestamps, which may indicate post-exploitation activity.

Why prioritize this

While Chromoting is not universally deployed, the HIGH CVSS score (8.8), network attack vector, and high impact (confidentiality, integrity, availability) mandate rapid patching. The requirement for user interaction lowers immediate risk but does not eliminate it in targeted attack scenarios. Organizations with active remote support workflows or users relying on Chromoting should prioritize this patch within the first week of release. Teams without Chromoting in use should still patch as part of routine Chrome updates.

Risk score, explained

The CVSS 8.8 score reflects a network-accessible, low-complexity attack that achieves arbitrary code execution (high impact on confidentiality, integrity, and availability). The score is tempered by the UI interaction requirement. Chromium's own severity rating of 'Medium' reflects their internal risk model, which may weight sandboxing and user agency differently; the CVSS score is more conservative and appropriate for enterprise risk assessment. In isolated or air-gapped environments, risk is lower; in open networks with active Chromoting use, risk is elevated.

Frequently asked questions

Do I need Chromoting enabled to be vulnerable?

Yes. The vulnerability only affects users with an active or recently active Chromoting session. If you don't use Chrome Remote Desktop, you are not at risk from this specific flaw, though you should still patch Chrome for other security reasons.

Can an attacker exploit this without network access?

No. The attacker must send malicious network traffic, typically to the Chromoting relay servers or directly to an active connection. An attacker on the same local network or with network visibility (including ISP-level positions) could potentially deliver the payload, but random internet users cannot.

What does 'use-after-free' mean in practical terms?

A use-after-free occurs when a program tries to access memory that has already been released. In this case, Chromoting frees an object too early, and later code attempts to use it. An attacker-crafted message triggers this condition and can overwrite or read the freed memory, leading to code execution.

Will Chrome autoupdate fix this automatically?

Most likely yes. If you have autoupdate enabled (default), Chrome will download and install version 149.0.7827.53 in the background and prompt you to relaunch the browser. Check chrome://settings/help to see your current version and force an update check if needed.

This analysis is based on public CVE data and vendor advisories as of the publication date. Exploit details, active attack prevalence, and patch rollout timelines may change. Organizations should verify patch availability and compatibility in their environment before deployment. This document is provided for informational purposes and does not constitute legal, compliance, or operational security advice. Consult your internal security team, vendor advisories, and threat intelligence feeds for real-time guidance. Source: NVD (public-domain), retrieved 2026-07-12. Analysis generated by SEC.co (claude-haiku-4-5).