CVE-2026-11630: Critical Use-After-Free in Google Chrome File Input Handling
Google Chrome versions prior to 149.0.7827.103 contain a use-after-free vulnerability in its file input handling. An attacker can craft a malicious HTML page that, when visited by a user, triggers improper memory management in Chrome's file handling code. This allows the attacker to corrupt memory on the victim's computer, potentially leading to arbitrary code execution. The vulnerability requires user interaction (visiting a malicious webpage) but affects users across Windows, macOS, and Linux systems.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.8 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-416
- Affected products
- 4 configuration(s)
- Published / Modified
- 2026-06-09 / 2026-06-17
NVD description (verbatim)
Use after free in File Input in Google Chrome prior to 149.0.7827.103 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Critical)
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-11630 is a use-after-free (CWE-416) vulnerability in Google Chrome's file input processing. The flaw occurs when Chrome improperly manages memory associated with file input objects, allowing an attacker to reference freed memory and trigger heap corruption. The vulnerability is reachable over the network via a crafted HTML page and requires minimal user interaction—simply visiting a malicious site is sufficient. Chrome's security team has classified this as Critical severity. The CVSS 3.1 score of 8.8 (HIGH) reflects the combination of network-based attack vector, low complexity, no privilege requirements, and high impact across confidentiality, integrity, and availability.
Business impact
This vulnerability poses a significant risk to organizations whose employees use Chrome for work or general browsing. Successful exploitation could allow attackers to steal sensitive data, modify files, or gain control of affected systems. The attack surface is broad—any user visiting a compromised or attacker-controlled website is at risk. For enterprises relying on Chrome as a primary browser, this represents a critical threat to endpoint security and data confidentiality. The lack of KEV designation does not diminish the practical risk; active exploitation in the wild may occur rapidly following public disclosure.
Affected systems
The vulnerability affects Google Chrome prior to version 149.0.7827.103 across all major operating systems: Windows, macOS, and Linux. Any user running an older version of Chrome is vulnerable. The underlying Chromium engine also affects other Chromium-based browsers, though this CVE specifically details Chrome. Organizations must verify whether dependent systems (such as Electron applications or embedded Chromium instances) use vulnerable versions.
Exploitability
Exploitation requires a victim to visit a malicious webpage, making this a practical vector for widespread attacks. The attack complexity is low—attackers need only host a crafted HTML page. No special privileges or authentication are needed. The barrier to exploitation is primarily social engineering or compromised legitimate websites. Given the ubiquity of Chrome and constant web browsing, the real-world exploitability is high, even though the CVSS vector includes a UI interaction requirement.
Remediation
Organizations must prioritize updating Google Chrome to version 149.0.7827.103 or later across all endpoints. Enable automatic updates if not already active. For enterprises with managed Chrome deployments, push the update through your device management platform. Users of Chromium-based browsers (Edge, Brave, Opera, etc.) should check their respective vendors for patched versions, as they may also be affected. Verify patch deployment across all systems before considering remediation complete.
Patch guidance
Update Google Chrome to version 149.0.7827.103 or any subsequent release. For Windows users, navigate to Help > About Google Chrome to trigger an automatic check and install. macOS and Linux users can use the same menu path or rely on their system's update mechanism. Enterprise customers using Google Update or similar management tools should verify deployment of the patched version. Test updates in a non-critical environment first if your organization requires change management procedures. Confirm the browser version via chrome://version after updating.
Detection guidance
Monitor for Chrome versions below 149.0.7827.103 in your endpoint inventory using device management tools or vulnerability scanning solutions. Look for file input-related crashes or unexpected behavior in Chrome processes, which may indicate exploitation attempts. Web application firewalls and intrusion detection systems should monitor for obfuscated or suspicious HTML content targeting file input elements. User reports of browser crashes on specific websites may warrant investigation. Track visits to known malicious domains if you have network logging in place.
Why prioritize this
This vulnerability merits immediate attention due to its Critical Chromium severity rating, high CVSS score (8.8), network-based attack vector, and low barrier to exploitation. The widespread use of Chrome and the simple attack surface—a malicious webpage—mean that vulnerable users face continuous risk during normal browsing. The lack of KEV designation does not reduce urgency; public disclosure and easy exploitability virtually guarantee rapid weaponization. Organizations should treat this as a day-one patch priority.
Risk score, explained
The CVSS 3.1 score of 8.8 (HIGH) reflects a critical combination of factors: network-accessible attack vector (AV:N), low attack complexity (AC:L), no privilege requirements (PR:N), and high impact to confidentiality, integrity, and availability (C:H/I:H/A:H). The requirement for user interaction (UI:R) prevents a perfect 9.8 score but does not materially reduce the practical risk. The score aligns with the Chromium security team's Critical designation and reflects the ease of exploitation and severity of potential compromise.
Frequently asked questions
Will automatic Chrome updates protect me from this vulnerability?
If you have automatic updates enabled in Chrome, your browser should fetch and install version 149.0.7827.103 automatically, though you may need to restart the browser to apply the update. However, automatic updates do not guarantee immediate patching—there can be a delay of hours or days. Check your version at chrome://version and update manually if needed. For enterprises, managed deployments may take longer; verify rollout status in your device management console.
Does this affect browsers other than Chrome?
This CVE is specific to Google Chrome. However, other Chromium-based browsers (Microsoft Edge, Brave, Opera, etc.) may have similar vulnerabilities due to shared code. Check with your browser vendor for patches addressing use-after-free flaws in file input handling. Apple Safari and Mozilla Firefox use different rendering engines and are not affected by this specific CVE.
What happens if I do not update Chrome?
Remaining unpatched leaves you vulnerable to remote code execution through crafted HTML pages. Attackers could steal credentials, documents, and browser data; modify files; or install malware. Given the simplicity of the attack (visiting a malicious website), the practical risk of exploitation is high. Delaying the patch significantly increases your exposure window.
Can I detect if someone has tried to exploit this on my system?
Direct detection of exploitation attempts is difficult without logs from web application firewalls or intrusion detection systems. However, unusual Chrome crashes, unexpected memory errors, or antivirus alerts following website visits may indicate exploitation. Reviewing browser history and checking for unexpected installed extensions or changes to settings may reveal compromise. If you suspect exploitation, isolate the system, run a full antivirus scan, and consider engaging incident response professionals.
This analysis is provided for informational purposes and reflects publicly available information as of the publication date. CVSS scores and vendor severity ratings are based on provided source data. Organizations should independently verify patch availability and compatibility with their environments before deploying updates. Actual exploit development, weaponization, or active attacks in the wild may not yet be publicly confirmed; however, organizations should assume active exploitation is likely given the vulnerability's accessibility and impact. This assessment does not constitute security or legal advice. For authoritative guidance, consult Google's official security advisory and your organization's security and compliance teams. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10001HIGHChrome Sandbox Escape via PerformanceManager Use-After-Free
- CVE-2026-10002HIGHGoogle Chrome PDFium Use-After-Free Vulnerability (CVSS 8.8)
- CVE-2026-10003HIGHChrome Use-After-Free Code Execution Vulnerability Analysis
- CVE-2026-10007HIGHChrome Use-After-Free in SVG Arbitrary Code Execution (CVSS 8.8)
- CVE-2026-10012HIGHChrome Skia Use-After-Free Sandbox Escape (v148.0.7778.216)
- CVE-2026-10013HIGHUse-After-Free in Chrome WebCodecs – Patch Guide & Risk Assessment
- CVE-2026-10016HIGHUse-After-Free in Chrome DOM – Sandbox Code Execution Vulnerability
- CVE-2026-10882HIGHCritical Chrome Use-After-Free RCE Vulnerability – Exploit Details & Patch Guidance