CVE-2026-11144: Chrome Use-After-Free in Media Processing – HIGH Severity Remote Code Execution
A use-after-free memory flaw in Google Chrome's media handling allows an attacker to execute malicious code within Chrome's sandbox by tricking a user into opening a specially crafted video file. While sandboxed, successful exploitation could still grant an attacker significant control over the affected browser process and potentially access to sensitive user data.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.8 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-416
- Affected products
- 4 configuration(s)
- Published / Modified
- 2026-06-04 / 2026-06-17
NVD description (verbatim)
Use after free in Media in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted video file. (Chromium security severity: Medium)
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-11144 is a use-after-free vulnerability (CWE-416) in Chrome's media subsystem affecting versions prior to 149.0.7827.53. The flaw occurs when the media processing component fails to properly manage memory references, allowing an attacker to reference freed memory and execute arbitrary code within the Chrome sandbox. The vulnerability requires user interaction—specifically opening a malicious video file—but no additional privileges or special browser configuration. The Chromium project classified this as Medium severity internally, though the CVSS 3.1 score of 8.8 reflects the HIGH severity rating due to the combination of network-based attack vector, low complexity, required user interaction, and high impact to confidentiality, integrity, and availability.
Business impact
Organizations where employees browse the web using Chrome face exposure to remote code execution through email attachments, malicious websites, or compromised media repositories. Successful exploitation could lead to theft of authentication tokens, cached credentials, browsing history, and data stored within web applications. The sandbox containment limits lateral movement, but attackers may pivot to other systems or launch secondary attacks if they obtain sufficient privileges or credentials from the compromised browser process.
Affected systems
Google Chrome versions prior to 149.0.7827.53 are directly affected. The vulnerability manifests across all operating systems where Chrome runs—Windows, macOS, and Linux. While the CVE lists other platforms, Chrome is the affected application; users on any OS running an outdated Chrome version should be considered at risk.
Exploitability
Exploitation requires social engineering to make a user open a malicious video file. No bypass of security features, authentication, or special system configuration is needed. The attack surface is broad because video is a common file type and users readily open media from email, messaging apps, and web downloads. However, exploitation is not wormable—each victim must be individually targeted with a crafted file.
Remediation
Update Google Chrome to version 149.0.7827.53 or later immediately. Most modern Chrome deployments auto-update, but verification is recommended for enterprise environments with delayed rollout policies or disabled auto-update. Users can manually check their version at chrome://settings/help, which also triggers a forced update check if a newer build is available.
Patch guidance
Deploy Chrome 149.0.7827.53 or later across your organization. For enterprises using Chrome managed policies, verify that auto-update is enabled or schedule a forced update cycle. Test the patch in a limited pilot environment if your organization has custom extensions or legacy web applications that might have compatibility concerns, though Chrome's update process is generally stable. Verify patch installation by confirming the version string in chrome://settings/help or via endpoint management tools.
Detection guidance
Monitor for crash logs and memory sanitizer reports on systems running affected Chrome versions, as exploitation often triggers crashes. Network detection is limited without reverse-engineering the malicious video file format. Host-based detection should focus on anomalous child processes spawned by Chrome or unusual file access patterns by the Chrome process following media playback. Endpoint Detection and Response (EDR) solutions should alert on code execution originating from the Chrome sandbox or suspicious memory operations within media playback threads.
Why prioritize this
This vulnerability merits immediate patching due to the combination of easy user-directed exploitation, high CVSS score (8.8), and significant impact potential. The requirement for user interaction does lower the attack probability compared to wormable flaws, but the prevalence of video content in daily browsing makes targeted exploitation highly feasible. Not yet listed on the KEV catalog, but the attack pattern and impact profile suggest it may be added as threat actors adapt the exploit.
Risk score, explained
The CVSS 3.1 score of 8.8 (HIGH) reflects a network-accessible vulnerability requiring only user interaction, with no privilege escalation or user configuration required. All three impact categories—confidentiality, integrity, and availability—score as high because code execution within the sandbox permits data theft, process manipulation, and denial of service. The sandbox boundary prevents full system compromise but does not eliminate risk to user data and credentials accessible within the browser context.
Frequently asked questions
Will updating Chrome automatically protect my organization?
Most Chrome installations auto-update, but you should verify in your enterprise policies. Navigate to chrome://settings/help to confirm your current version and trigger an immediate update check. If auto-update is disabled in your environment, you must manually deploy version 149.0.7827.53 or schedule a managed rollout.
Can users be safely using older Chrome versions if they avoid opening video files?
Theoretically, avoiding video files reduces risk, but this is impractical and unreliable. Videos are embedded in web pages, appear in messaging apps, and can be disguised as other file types. The only reliable protection is updating Chrome. Do not rely on user behavior as a control for this vulnerability.
Does the sandbox prevent all damage from this exploit?
The Chrome sandbox contains the initial code execution and prevents direct kernel-level access, but it does not protect data stored within the browser—including passwords, authentication tokens, cached credentials, and browsing history. An attacker can exfiltrate this sensitive information without escaping the sandbox.
Is there any indication this vulnerability is being actively exploited?
As of the published date, CVE-2026-11144 is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog, suggesting no widespread public exploitation has been reported yet. However, the technical accessibility of the vulnerability means threat actors may develop exploits rapidly, so timely patching remains critical.
This analysis is based on the vulnerability disclosure published on 2026-06-04 and modified 2026-06-17. Patch version numbers and affected software versions should be verified against official vendor advisories and release notes before deployment. While this vulnerability is not currently listed in CISA's Known Exploited Vulnerabilities catalog, the absence of KEV status does not indicate low risk or low exploitability; organizations should prioritize patching regardless. No exploit code or weaponized proof-of-concept is provided or endorsed in this analysis. Always test patches in a controlled environment before broad deployment. Source: NVD (public-domain), retrieved 2026-07-12. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10001HIGHChrome Sandbox Escape via PerformanceManager Use-After-Free
- CVE-2026-10002HIGHGoogle Chrome PDFium Use-After-Free Vulnerability (CVSS 8.8)
- CVE-2026-10003HIGHChrome Use-After-Free Code Execution Vulnerability Analysis
- CVE-2026-10007HIGHChrome Use-After-Free in SVG Arbitrary Code Execution (CVSS 8.8)
- CVE-2026-10012HIGHChrome Skia Use-After-Free Sandbox Escape (v148.0.7778.216)
- CVE-2026-10013HIGHUse-After-Free in Chrome WebCodecs – Patch Guide & Risk Assessment
- CVE-2026-10016HIGHUse-After-Free in Chrome DOM – Sandbox Code Execution Vulnerability
- CVE-2026-10882HIGHCritical Chrome Use-After-Free RCE Vulnerability – Exploit Details & Patch Guidance