HIGH 8.8

CVE-2026-11629: Critical Use-After-Free in Google Chrome Ozone Component

A use-after-free vulnerability in Google Chrome's Ozone component allows attackers to crash the browser or corrupt its memory by tricking users into visiting a specially crafted webpage. The attacker needs the victim to click a link or visit a malicious site—no special privileges are required. Chrome versions before 149.0.7827.103 are affected.

Source data · NVD / CISA · public domain

CVSS
3.1 · 8.8 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-416
Affected products
4 configuration(s)
Published / Modified
2026-06-09 / 2026-06-17

NVD description (verbatim)

Use after free in Ozone in Google Chrome prior to 149.0.7827.103 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Critical)

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-11629 is a use-after-free flaw (CWE-416) in Chromium's Ozone window system abstraction layer. The vulnerability permits remote code execution or heap corruption when a crafted HTML page is rendered. An attacker can trigger the vulnerability through user interaction (clicking a link or visiting a site), bypassing the sandboxed renderer process and potentially achieving arbitrary code execution with user privileges. Google's security team classified this as Critical severity in the Chromium project before publishing the CVE as HIGH (CVSS 8.8).

Business impact

Successful exploitation could allow attackers to assume the privileges of the user running Chrome, potentially accessing sensitive data, stealing credentials, or installing malware. Organizations relying on Chrome in high-security contexts—customer-facing web applications, financial services portals, or secure communication tools—face elevated risk if users remain unpatched. Widespread, targeted campaigns could disrupt productivity or compromise systems at scale.

Affected systems

Google Chrome versions prior to 149.0.7827.103 are vulnerable on Windows, macOS, and Linux. The vulnerability affects Chromium-based browsers that use the Ozone abstraction layer, but the primary documented target is Google Chrome. Organizations using Chrome as a standard browser, or relying on Chromium derivatives (Edge, Opera, Brave), should verify patch status against vendor advisories.

Exploitability

Exploitability is high. The attack requires only user interaction (visiting a malicious webpage or clicking a link) and no special network conditions or authentication. No public exploit code is currently tracked in CISA's Known Exploited Vulnerabilities catalog, but the critical rating and low attack complexity mean exploitation is practical and likely to be weaponized quickly if not already. Attackers may use social engineering, malvertising, or watering-hole techniques to distribute the malicious HTML.

Remediation

Update Google Chrome to version 149.0.7827.103 or later immediately. For organizations managing Chrome deployments, push updates through your device management platform (MDM/EMM) and verify rollout across endpoints. Users on auto-update should receive the patch automatically; manual users must visit Help > About Google Chrome to trigger an update check. No workarounds exist; patching is the only mitigation.

Patch guidance

Deploy Chrome version 149.0.7827.103 or newer across all managed devices without delay. For enterprise users, configure automatic updates or use your MDM solution to force updates if feasible. Verify patch deployment by checking chrome://version in each browser. If your organization uses Chromium-based alternatives (Microsoft Edge, Brave, Opera), contact the vendor to confirm patch availability and timeline. Test patches in a non-production environment before broad rollout to avoid compatibility issues, though this vulnerability's severity justifies rapid deployment even with minimal testing.

Detection guidance

Monitor browser version inventory and alert on any Chrome instance running version 149.0.7827.102 or earlier. Check endpoint logs and network telemetry for user visits to suspicious domains or unusual iframe/script activity from external sources. Behavioral detection tools should flag abnormal child process spawning from Chrome, memory access patterns consistent with heap corruption, or crash dumps citing the Ozone module. Network-level detection is difficult since the malicious HTML is fetched over normal HTTPS traffic; focus on post-compromise indicators like process injection or lateral movement.

Why prioritize this

This vulnerability merits critical priority due to its combination of high CVSS score (8.8), low attack complexity, user-interaction requirement only (not requiring clicks on suspicious links—normal browsing can trigger it), and potential for achieving code execution with user privileges. The absence from CISA's KEV list does not reduce urgency; critical Chromium vulnerabilities are historically exploited within days. Organizations should treat this as a zero-day equivalent in terms of response time.

Risk score, explained

CVSS 8.8 (HIGH) reflects the attack vector (Network), low attack complexity (no special conditions), no privilege escalation required, user interaction needed, and impact on confidentiality, integrity, and availability. While classified as HIGH under CVSS, Chromium's internal severity rating of Critical and the practical exploitability elevate real-world risk. The difference stems from CVSS not fully accounting for the ubiquity of Chrome and the likelihood of active exploitation of memory corruption flaws.

Frequently asked questions

Will Chrome auto-update fix this for me?

If you have automatic updates enabled (the default on most installations), Chrome will update to 149.0.7827.103 within a few hours to a day of release. You can force an immediate check by visiting Help > About Google Chrome. Do not delay—visit that page today if you have not done so recently.

What if I use Microsoft Edge or another Chromium browser?

Edge and other Chromium derivatives are affected if they use the Ozone component and have not applied an equivalent patch. Contact your browser vendor immediately to confirm patch status and availability. Do not assume they are patched just because Chrome is; each vendor manages updates independently.

Can I catch or prevent this attack without patching?

No reliable prevention method exists without updating. While disabling JavaScript or using aggressive ad blockers may reduce malware-delivery risk, attackers can craft the exploit in HTML/CSS or exploit the vulnerability through legitimate sites. Patching is the only effective mitigation.

Is this being actively exploited?

As of the publication date, this vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog. However, given its critical Chromium rating and ease of exploitation, defensive assumption should be that exploitation is imminent or already occurring in targeted campaigns. Update immediately rather than waiting for public confirmation of active attacks.

This analysis is based on publicly available information as of the published date. CVSS scores and severity ratings are provided by NVD and vendor sources; individual organizations may assess risk differently based on their environment, user base, and controls. No exploit code or weaponization details are provided in this report. Patch version numbers and availability dates must be verified against official Google Chrome release notes and vendor advisories. This explainer is for informational purposes and does not constitute legal or compliance advice. Organizations should consult their security teams and follow internal patch management policies. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).