CVE-2026-11628: Chrome Use-After-Free in Ozone (Local Heap Corruption)
Google Chrome versions before 149.0.7827.103 contain a use-after-free memory error in the Ozone graphics subsystem. An attacker with physical access to a device can trigger this flaw to corrupt heap memory and potentially execute arbitrary code. While the Chromium project rates this as Critical, the CVSS score reflects the requirement for physical device access, which limits real-world exploitability for most organizations.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 6.8 MEDIUM · CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-416
- Affected products
- 4 configuration(s)
- Published / Modified
- 2026-06-09 / 2026-06-17
NVD description (verbatim)
Use after free in Ozone in Google Chrome prior to 149.0.7827.103 allowed a local attacker to potentially exploit heap corruption via physical access to the device. (Chromium security severity: Critical)
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-11628 is a use-after-free vulnerability (CWE-416) in Chrome's Ozone display server abstraction layer. The flaw allows a local attacker with physical access to the device to cause heap corruption through a carefully crafted interaction. Ozone abstracts platform-specific windowing and graphics APIs, and the vulnerability suggests improper memory lifecycle management in this component. The attack requires no user interaction or elevated privileges, but does mandate physical presence at the target machine.
Business impact
For most enterprise environments, the physical access requirement significantly reduces exploitability risk. However, organizations with unattended public kiosks, shared laboratory workstations, or bring-your-own-device programs may face elevated exposure. A successful exploit could allow local code execution with the privileges of the Chrome process, potentially leading to data theft, credential compromise, or lateral movement within corporate networks if Chrome is running in a high-trust context.
Affected systems
Google Chrome prior to version 149.0.7827.103 is directly affected. The vulnerability also impacts Chrome running on affected operating systems: Windows, macOS, and Linux systems that run vulnerable Chrome versions. Note that the underlying operating system (Windows, macOS, Linux kernel) is listed in the vulnerability record, but the bug itself resides in Chrome; updating Chrome resolves the issue regardless of OS version.
Exploitability
Real-world exploitability is constrained by the requirement for physical device access (CVSS vector AV:P). This is not a remote network vulnerability. An attacker must have hands-on access to unlock the device or exploit it during an unattended session. Public exploit code is not known to exist in active threat feeds, and the vulnerability is not yet listed in the CISA Known Exploited Vulnerabilities catalog. However, the lack of required privileges or user interaction means that once physical access is achieved, exploitation is straightforward.
Remediation
Update Google Chrome to version 149.0.7827.103 or later on all affected systems. Chrome's auto-update mechanism should deliver this patch automatically if enabled; administrators should verify deployment in environments where auto-update is disabled. No workarounds exist; patching is the only mitigation. Test patch deployment in non-production environments first to ensure compatibility with organizational workflow and any third-party extensions.
Patch guidance
Google has released version 149.0.7827.103 as the fixed version. Check your current Chrome version in Settings > About Chrome (Windows/Linux) or Chrome > About Google Chrome (macOS). The browser will offer an automatic update; restart Chrome to complete installation. Enterprise administrators using Chrome policies should verify that updates are not blocked by policy and that client machines have checked in within 24 hours. For managed deployments, consider using Chrome Enterprise for centralized version control and update scheduling to ensure timely patching across your fleet.
Detection guidance
Monitor for Chrome process crashes or abnormal termination on systems with physical access constraints (kiosks, shared workstations). Logs may show segmentation faults or heap corruption errors if the vulnerability is triggered. Endpoint Detection and Response (EDR) tools should flag unexpected child processes spawned by Chrome or unusual memory access patterns. Network monitoring alone will not detect this vulnerability since exploitation is local. Ensure Chrome is updated to the patched version and verify via software inventory or browser extension policies (e.g., via Chrome Enterprise or MDM solutions).
Why prioritize this
Despite Chromium's Critical severity designation, the CVSS 6.8 (MEDIUM) and physical access requirement justify medium priority for most remote-work-first organizations. Prioritize patching for high-risk local environments: shared devices, public kiosks, development machines, and lab workstations where physical security is harder to enforce. Organizations with strict physical access controls and primarily remote staff can defer patching to the next maintenance window but should not ignore it indefinitely.
Risk score, explained
The CVSS 3.1 score of 6.8 reflects the high impact (Confidentiality, Integrity, and Availability all marked High) but penalizes the attack vector (Physical, AV:P). The lack of privilege escalation requirement (PR:N) and user interaction (UI:N) indicates the flaw is trivial to trigger once physical access is obtained, but the Physical access vector prevents a higher score. This score appropriately conveys that the vulnerability is serious *for devices with inadequate physical security*, but poses minimal risk to locked or monitored machines.
Frequently asked questions
Can this vulnerability be exploited remotely over a network?
No. This is strictly a local vulnerability requiring physical device access. It cannot be exploited via the internet, and network monitoring or firewalls will not help defend against it. Remote threat actors cannot weaponize CVE-2026-11628.
Do I need to worry about this if my Chrome auto-update is enabled?
Most users should be unaffected if auto-update is on, as Chrome will update automatically. However, verify your Chrome version (About Chrome) to confirm you are on 149.0.7827.103 or later. Auto-update may be delayed in some regions or behind corporate proxies, so do not assume it has occurred until verified.
What is the difference between the Chromium 'Critical' rating and the CVSS 6.8 'Medium' score?
Chromium's internal severity rating assesses the impact assuming the vulnerability can be triggered (Critical impact on integrity and confidentiality). CVSS 3.1, however, factors in the practical attack complexity and access requirements; the Physical access vector (AV:P) lowers the final score to 6.8. Both assessments are correct: the vulnerability is severe in impact but limited in scope by access constraints.
Are there any known exploits in the wild?
As of the last update, CVE-2026-11628 is not listed in CISA's Known Exploited Vulnerabilities catalog and no public exploit code is widely circulated. However, the simplicity of exploitation once physical access is gained means new exploits could emerge quickly if the flaw becomes widely known among local attackers.
This analysis is based on publicly available vulnerability data as of June 2026. CVSS scores and severity ratings reflect the Common Vulnerability Scoring System 3.1 standard and vendor assessments at the time of publication. Exploit availability, threat actor activity, and patch deployment timelines may evolve; monitor vendor advisories and security feeds for updates. This page does not constitute legal advice or guarantee of security outcomes. Organizations should conduct their own risk assessments and testing before deploying patches to production environments. SEC.co makes no warranty regarding the completeness or accuracy of remediation steps and recommends consultation with your vendor and security team for environment-specific guidance. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2026-11073MEDIUMChrome WebGL Use-After-Free Information Disclosure
- CVE-2026-11208MEDIUMUse-After-Free in Chrome Codecs – Information Disclosure Vulnerability
- CVE-2026-11249MEDIUMChrome Use-After-Free Information Disclosure Vulnerability
- CVE-2026-10001HIGHChrome Sandbox Escape via PerformanceManager Use-After-Free
- CVE-2026-10002HIGHGoogle Chrome PDFium Use-After-Free Vulnerability (CVSS 8.8)
- CVE-2026-10003HIGHChrome Use-After-Free Code Execution Vulnerability Analysis
- CVE-2026-10007HIGHChrome Use-After-Free in SVG Arbitrary Code Execution (CVSS 8.8)
- CVE-2026-10012HIGHChrome Skia Use-After-Free Sandbox Escape (v148.0.7778.216)