CVE-2026-11117: Chrome Use-After-Free RCE on Windows – CVSS 8.8 – Patch 149.0.7827.53
A use-after-free vulnerability exists in Google Chrome's Views component on Windows systems. An attacker can exploit this flaw by crafting a malicious HTML page that, when visited by a user, allows remote code execution on the victim's machine. The vulnerability affects Chrome versions prior to 149.0.7827.53 and requires user interaction (visiting a malicious site), but once triggered, grants the attacker full system compromise capabilities.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.8 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-416
- Affected products
- 2 configuration(s)
- Published / Modified
- 2026-06-04 / 2026-06-17
NVD description (verbatim)
Use after free in Views in Google Chrome on Windows prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: Medium)
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-11117 is a use-after-free vulnerability (CWE-416) in the Views subsystem of Google Chrome on Windows. The flaw allows an unauthenticated remote attacker to achieve arbitrary code execution through a specially crafted HTML page delivered over the network. The attack vector is network-based with low complexity, requiring only user interaction (clicking or visiting a link). Once exploited, the vulnerability provides complete confidentiality, integrity, and availability compromise. Google rated this as Medium severity in Chromium, but the CVSS v3.1 score of 8.8 (HIGH) reflects the ease of exploitation and the complete system compromise potential.
Business impact
This vulnerability poses a significant risk to organizations and individuals relying on Chrome for web browsing. Exploitation could lead to unauthorized access to sensitive data, installation of malware, ransomware deployment, or lateral movement within corporate networks if the affected machine is networked. The requirement for user interaction means social engineering and drive-by download campaigns are viable attack vectors. Browser-based compromises can be particularly damaging because browsers often have access to credentials, cached data, and can serve as a pivot point to internal systems.
Affected systems
Google Chrome on Windows operating systems running versions prior to 149.0.7827.53 are affected. This includes all Windows releases (Windows 10, Windows 11, and earlier versions) that have vulnerable Chrome installations. Chromebook systems and Chrome on macOS/Linux are not affected by this particular vulnerability. Any user or system with an unpatched Chrome browser is a potential target.
Exploitability
The vulnerability is highly exploitable in real-world scenarios despite requiring user interaction. The attack surface is broad—any HTML page served over HTTP/HTTPS can deliver the exploit payload. An attacker needs only to trick a user into visiting a malicious website, which can be accomplished through phishing, malvertising, compromised websites, or social engineering. Once a user visits the page, code execution is automatic. No special privileges, authentication, or user awareness are required beyond the click itself. The low complexity of the attack and high impact make this a practical security threat.
Remediation
Users and administrators must update Google Chrome to version 149.0.7827.53 or later. Chrome's auto-update mechanism typically deploys patches automatically, but administrators should verify that all deployed instances have been updated. Organizations should enforce Chrome update policies and monitor version compliance. Until patching is complete, consider restricting Chrome usage in high-security environments or implementing network-level controls to block known exploit delivery infrastructure if available.
Patch guidance
Update Google Chrome to version 149.0.7827.53 or later. For enterprise deployments: (1) verify update policies are enabled and set to auto-update or scheduled deployment; (2) test the patch in a non-production environment first; (3) monitor Chrome version reporting in your MDM/UEM solution to confirm rollout; (4) consider staging the update over 1-2 weeks to allow incident response teams to monitor for exploitation attempts; (5) force updates on critical systems if auto-update is delayed. Verify patch deployment by checking chrome://version in the browser's address bar or through your organization's inventory tools.
Detection guidance
Network-level detection is challenging because the exploit is delivered via standard HTTP/HTTPS traffic in a crafted HTML page. Endpoint detection should focus on: (1) monitoring for unexpected child processes spawned by chrome.exe or renderer processes; (2) alerting on unusual file system modifications or registry changes originating from Chrome processes; (3) detecting suspicious network connections initiated by Chrome (command-and-control callbacks); (4) EDR tools capable of detecting code injection or suspicious memory access patterns. Monitor Chrome version inventory to identify unpatched systems. If possible, collect browser crash logs and check for use-after-free related errors in diagnostic data.
Why prioritize this
This vulnerability merits immediate patching despite not being on the KEV catalog. The HIGH CVSS score (8.8), ease of exploitation via web browsing, lack of required privileges, and potential for widespread impact justify urgent remediation. Browser-based remote code execution is a preferred attack vector for both opportunistic and targeted campaigns. The window between public disclosure (2026-06-04) and patch availability is already closed, meaning active exploitation is plausible.
Risk score, explained
The CVSS v3.1 score of 8.8 reflects: Network attack vector (AV:N) allowing remote exploitation; Low attack complexity (AC:L) meaning standard techniques suffice; No required privileges (PR:N); User interaction required (UI:R) but minimal and easily bypassed through social engineering; Unchanged scope (S:U); and complete compromise across confidentiality, integrity, and availability (C:H/I:H/A:H). While Chromium categorized it as Medium severity, the CVSS computation appropriately elevates the practical risk due to the combination of easy delivery, lack of defenses, and total system compromise potential.
Frequently asked questions
Does this vulnerability affect Chrome on macOS or Linux?
No, CVE-2026-11117 is specific to Chrome on Windows. The Views component implementation differs across platforms, and this use-after-free is Windows-specific. However, users on other platforms should continue to update Chrome regularly for other security fixes.
Can I be exploited if I don't click links or visit suspicious websites?
The exploit requires visiting a malicious HTML page, which typically means the user must navigate to a compromised or attacker-controlled website. However, the page could be hosted on a legitimate site that has been compromised, injected into advertising networks, or delivered via email with social engineering. Simply browsing the web normally carries some risk if you land on an infected page.
Is there a workaround if I can't update Chrome immediately?
Workarounds are limited. The most practical interim measures are: restrict Chrome usage to essential tasks only, avoid visiting untrusted websites, disable JavaScript if possible (though this breaks most modern sites), or temporarily switch to a different browser. However, these are not substitutes for patching. Prioritize the update as soon as possible.
Will Chrome's sandboxing protect me from this exploit?
Chrome's sandbox provides a layer of containment, but a use-after-free in the Views component can potentially lead to sandbox escape or achieve code execution within the renderer process context, which still grants significant access to data and system resources. The sandbox reduces impact compared to an uncontained vulnerability, but does not prevent exploitation or data theft.
This analysis is based on publicly disclosed vulnerability data as of June 2026. Exploitation details, specific attack campaigns, and threat intelligence from private sources may provide additional context. Organizations should verify patch availability and compatibility in their specific environments before deployment. This document does not constitute legal, compliance, or insurance advice. Security decisions should be informed by risk assessments tailored to your organization's threat model, asset criticality, and regulatory requirements. Always test patches in non-production environments first. Source: NVD (public-domain), retrieved 2026-07-12. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10000HIGHChrome Sandbox Escape via Use-After-Free in Password Handling
- CVE-2026-10001HIGHChrome Sandbox Escape via PerformanceManager Use-After-Free
- CVE-2026-10002HIGHGoogle Chrome PDFium Use-After-Free Vulnerability (CVSS 8.8)
- CVE-2026-10003HIGHChrome Use-After-Free Code Execution Vulnerability Analysis
- CVE-2026-10007HIGHChrome Use-After-Free in SVG Arbitrary Code Execution (CVSS 8.8)
- CVE-2026-10012HIGHChrome Skia Use-After-Free Sandbox Escape (v148.0.7778.216)
- CVE-2026-10013HIGHUse-After-Free in Chrome WebCodecs – Patch Guide & Risk Assessment
- CVE-2026-10016HIGHUse-After-Free in Chrome DOM – Sandbox Code Execution Vulnerability