MEDIUM 6.5

CVE-2026-11208: Use-After-Free in Chrome Codecs – Information Disclosure Vulnerability

A use-after-free vulnerability exists in the codec handling components of Google Chrome versions prior to 149.0.7827.53. An attacker can craft a malicious HTML page that, when visited by a user, exploits this memory safety flaw to read sensitive data directly from the browser process's memory. The vulnerability requires user interaction (visiting a malicious site) but does not require any special privileges to exploit.

Source data · NVD / CISA · public domain

CVSS
3.1 · 6.5 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Weaknesses (CWE)
CWE-416
Affected products
4 configuration(s)
Published / Modified
2026-06-04 / 2026-06-17

NVD description (verbatim)

Use after free in Codecs in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium)

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

This vulnerability is a classic use-after-free (CWE-416) condition in Chrome's codec subsystem. When codec objects are freed but subsequently accessed without proper validation, an attacker can manipulate heap memory state through a specially crafted HTML page to cause the browser to leak sensitive information during codec processing. The flaw is not exploitable for code execution or denial of service—it is exclusively an information disclosure vector affecting confidentiality of process memory.

Business impact

Organizations whose staff rely on Chrome for work face potential data exfiltration risk when employees visit untrusted or compromised websites. Sensitive information—such as authentication tokens, cached credentials, or data from other tabs—could be exposed. The impact is heightened in environments where Chrome processes sensitive client data or connects to internal services. However, the attack is not self-propagating; it requires explicit user navigation to a malicious site.

Affected systems

Google Chrome versions prior to 149.0.7827.53 are vulnerable across all supported platforms: Windows, macOS, and Linux. The vulnerability affects Chrome on all these operating systems. Other Chromium-based browsers (Edge, Brave, Opera, etc.) may also be affected depending on their incorporation of the vulnerable codec code and update cadence, though this CVE specifically names Chrome. Mobile versions of Chrome should also be treated as in-scope pending vendor guidance.

Exploitability

Exploitability is moderately constrained but not negligible. An attacker must convince a user to visit a malicious or compromised website—no browser plugins, extensions, or system misconfigurations are required. The attack does not work remotely without user interaction. Public exploit code has not been documented in the KEV catalog, indicating limited evidence of active weaponization at the time of disclosure. However, the relative simplicity of HTML-based exploitation means proof-of-concept development is feasible for skilled attackers.

Remediation

Users and administrators must update Chrome to version 149.0.7827.53 or later. Chrome typically auto-updates, but organizations using managed Chrome deployments should verify update policies and force distribution if necessary. Interim mitigations (e.g., blocking untrusted sites, sandboxing Chrome processes) reduce but do not eliminate risk. Delaying patch deployment while relying on user behavior alone is not a sustainable strategy.

Patch guidance

Verify that Chrome has been updated to version 149.0.7827.53 or later. Check Settings > About Google Chrome to confirm the installed version; if it shows an earlier version, force an update by clicking the update button or restarting the browser. Organizations using Google Admin Console or equivalent managed deployment should push this version to all enrolled endpoints. Test the patch in a non-production environment if your organization has custom browser configurations or policy overrides. No rollback is necessary; this is a security-only patch with no breaking changes noted.

Detection guidance

Monitor for unusual codec-related process activity or memory access patterns on systems running Chrome. Inspect browser logs and memory dump analysis tools if data exfiltration is suspected after a user visited a potentially malicious site. Network detection is difficult because the exfiltration channel is codec processing, not a distinct C2 connection. Endpoint Detection and Response (EDR) tools sensitive to heap spraying or memory manipulation may alert on exploitation attempts, though false positives are common. User behavior indicators—reports of unexpected credential resets or account compromise following browsing of suspicious links—should trigger investigation.

Why prioritize this

This vulnerability warrants prompt patching due to its information disclosure nature and broad user base. Although the CVSS score (6.5 Medium) and lack of KEV status suggest lower urgency than critical exploits, the convergence of three factors elevates practical priority: (1) ease of exploitation via crafted web content, (2) potential for high-value data exfiltration if targeted at specific users, and (3) prevalence of Chrome in corporate and personal use. Patch deployment should complete within 2–4 weeks in most environments, faster in high-risk verticals (finance, healthcare, defense).

Risk score, explained

The CVSS 3.1 score of 6.5 (Medium) reflects a network-exploitable flaw with low complexity, requiring user interaction and affecting confidentiality but not integrity or availability. The score appropriately captures the non-critical nature of information disclosure versus remote code execution. However, real-world context matters: if your organization processes or stores sensitive data within Chrome, or if users frequently visit untrusted sites, the operational risk may exceed the base CVSS metric. Conversely, in air-gapped environments with restricted browsing, risk is substantially lower.

Frequently asked questions

Will updating Chrome break my extensions or custom configurations?

Chrome version 149.0.7827.53 is a security patch and does not introduce breaking changes to the extension API or configuration framework. Extensions should continue to function. If you rely on outdated third-party extensions, verify compatibility before broad rollout, but this is a standard precaution and not specific to this patch.

Can this vulnerability be exploited if a user is not actively using Chrome (e.g., browser is idle)?

The vulnerability requires codec processing to occur, which typically happens when a user views media content or codec-heavy pages. A completely idle browser tab would not be exploitable. However, modern websites often run background media or auto-play content, so even a minimized or background tab could be at risk if it loads the attacker's crafted page.

Does this vulnerability affect Chrome on mobile devices (Android, iOS)?

Chrome on Android uses the same codec libraries as desktop Chrome and is presumed vulnerable. Chrome on iOS uses WebKit instead of Chromium's rendering engine, so iOS Chrome is unaffected. Verify the version numbers of your mobile Chrome deployments and update Android Chrome to the patched version.

What data could an attacker realistically steal via this vulnerability?

An attacker can read arbitrary memory from the Chrome process, potentially capturing session tokens, cached passwords, data from other tabs, and temporary buffers. The specific content depends on what is in memory at the time of exploitation. This is why rapid patching is important for organizations handling sensitive information.

This analysis is based on official CVE and vendor data current as of the publication date. Security advisories and patch availability may be updated by vendors; always verify patch versions against official Google Chrome release notes before deployment. This vulnerability has not been added to the CISA KEV catalog, indicating no confirmed active exploitation at time of analysis, but absence from KEV does not guarantee lack of threat actor interest. Organizations should not rely solely on CVSS scores for prioritization; contextualize this vulnerability against your specific data sensitivity, user behavior, and browsing policies. No exploit code is provided or endorsed in this analysis. Source: NVD (public-domain), retrieved 2026-07-13. Analysis generated by SEC.co (claude-haiku-4-5).