CVE-2026-11224: Use-After-Free in Chrome Chromoting on Linux (CVSS 8.1)
A use-after-free vulnerability in Google Chrome's Chromoting remote desktop feature on Linux systems can allow an attacker to execute arbitrary code on a victim's machine through specially crafted network traffic. The attacker does not need any special privileges or user interaction beyond network access. This is a critical flaw in the remote desktop protocol handling that leaves systems open to full code execution compromise.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.1 HIGH · CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-416
- Affected products
- 2 configuration(s)
- Published / Modified
- 2026-06-04 / 2026-06-17
NVD description (verbatim)
Use after free in Chromoting in Google Chrome on Linux prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code via malicious network traffic. (Chromium security severity: Low)
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-11224 is a use-after-free vulnerability (CWE-416) in the Chromoting subsystem of Google Chrome on Linux. The flaw arises from improper memory management where code attempts to access memory that has already been freed, allowing a network-based attacker to trigger this condition and gain arbitrary code execution. The vulnerability requires network accessibility but no user interaction or elevated privileges. Chrome versions prior to 149.0.7827.53 on Linux are affected.
Business impact
Exploitation of this vulnerability could allow attackers to execute arbitrary code within the Chrome process context on Linux endpoints. For organizations relying on Chrome's remote desktop capabilities (Chromoting), this creates a pathway for remote compromise without requiring user awareness or interaction. The impact extends to confidentiality, integrity, and availability—attackers could steal sensitive data, modify systems, or disrupt operations. This is particularly concerning for users who access Chromoting across untrusted networks.
Affected systems
Google Chrome on Linux operating systems running versions prior to 149.0.7827.53. The Linux kernel itself is listed as an affected vendor product in the CVE record, though the primary vulnerability resides in Chrome's Chromoting implementation. Organizations should inventory Chrome installations on Linux servers and workstations, particularly those used for remote access scenarios or exposed to untrusted network segments.
Exploitability
Exploitation requires network access and the ability to send malicious network traffic to the target Chrome instance, likely during an active Chromoting session or against the Chromoting listener. The CVSS vector indicates high complexity (AC:H), suggesting specific conditions or race conditions may need to align, but the lack of required privileges or user interaction means the barrier to exploitation remains low for a motivated attacker. The vulnerability is not currently listed on the CISA KEV catalog, indicating no active weaponized exploits have been publicly disclosed and monitored at this time.
Remediation
Update Google Chrome on Linux systems to version 149.0.7827.53 or later. This release includes a patch that resolves the use-after-free condition in Chromoting. Verify the patch version against the official Google Chrome release notes and security advisory to confirm applicability. Organizations should prioritize this update for systems that actively use Chromoting or are exposed to untrusted networks.
Patch guidance
Deploy Chrome version 149.0.7827.53 or later across all Linux environments. For enterprise deployments, use Google's browser policy controls to enforce automatic updates or pushed deployment. Test the update in a pre-production environment first to ensure compatibility with any organization-specific extensions or configurations. Given the CVSS score of 8.1 and the network-based attack vector, prioritize this patch within 5–7 days of availability.
Detection guidance
Monitor for unexpected network connections to Chrome instances, particularly involving Chromoting ports or processes. Log and alert on Chrome process crashes or restarts that could indicate exploitation attempts. Inspect network traffic for anomalous patterns destined to Chromoting listeners. Host-based monitoring should capture use-after-free indicators such as memory corruption signatures or unusual Chrome process behavior. Review Chrome version inventory regularly to identify systems still running vulnerable versions.
Why prioritize this
This vulnerability merits urgent remediation due to its combination of high CVSS score (8.1), network-based attack vector (AV:N), and lack of required user interaction (UI:N). Although listed as Low severity by Chromium, the overall impact on confidentiality, integrity, and availability is substantial. Any system running Chromoting on Linux should be treated as a high-priority patch target to prevent remote code execution.
Risk score, explained
The CVSS 3.1 score of 8.1 (HIGH severity) reflects the critical nature of arbitrary code execution achievable through network access without privileges or user interaction. The high complexity (AC:H) moderately reduces the likelihood of spontaneous exploitation but does not significantly lower the severity of successful compromise. The unchanged scope (S:U) and maximum impact across all three security dimensions (C:H/I:H/A:H) reinforce the urgent remediation priority.
Frequently asked questions
Does this vulnerability affect Chrome on Windows or macOS?
No. CVE-2026-11224 is specific to Google Chrome on Linux systems. Windows and macOS users are not affected by this particular use-after-free in Chromoting.
Is this vulnerability exploited in the wild?
As of the last update, this vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog, meaning no active or weaponized exploits have been publicly reported or actively tracked. However, the network-based attack vector and lack of user interaction requirement mean organizations should not delay patching.
What is Chromoting and who is affected?
Chromoting is Google Chrome's built-in remote desktop feature that allows users to securely access their computer from another device. Anyone using Chrome's remote access capabilities on Linux—including remote workers, IT support staff, and system administrators—should update immediately.
What should I do if my organization cannot patch immediately?
Until patching is complete, restrict network access to Chromoting listeners, disable Chromoting if not actively needed, and monitor for suspicious network activity targeting Chrome processes. Use network segmentation to limit exposure of vulnerable systems to untrusted networks.
This analysis is based on publicly available vulnerability data and official vendor advisories as of the publication date. CVSS scores and severity ratings are derived from the NVD and vendor sources and reflect assessed risk; actual impact may vary by environment. Organizations should verify patch availability and compatibility with their specific Chrome version and Linux distribution before deploying updates. This document does not constitute legal or compliance advice. For the most current information, consult Google's official Chrome security page and your organization's vulnerability management policies. Source: NVD (public-domain), retrieved 2026-07-13. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10001HIGHChrome Sandbox Escape via PerformanceManager Use-After-Free
- CVE-2026-10002HIGHGoogle Chrome PDFium Use-After-Free Vulnerability (CVSS 8.8)
- CVE-2026-10003HIGHChrome Use-After-Free Code Execution Vulnerability Analysis
- CVE-2026-10007HIGHChrome Use-After-Free in SVG Arbitrary Code Execution (CVSS 8.8)
- CVE-2026-10012HIGHChrome Skia Use-After-Free Sandbox Escape (v148.0.7778.216)
- CVE-2026-10013HIGHUse-After-Free in Chrome WebCodecs – Patch Guide & Risk Assessment
- CVE-2026-10016HIGHUse-After-Free in Chrome DOM – Sandbox Code Execution Vulnerability
- CVE-2026-10882HIGHCritical Chrome Use-After-Free RCE Vulnerability – Exploit Details & Patch Guidance