HIGH 8.3

CVE-2026-11631: Chrome Aura Sandbox Escape (Use-After-Free)

Google Chrome on Windows contains a use-after-free vulnerability in its Aura rendering subsystem that could allow an attacker to break out of the browser's sandbox. The flaw requires an attacker to first compromise the renderer process—typically through a separate vulnerability or exploit—and then use a malicious webpage to trigger memory corruption that escapes the sandbox. This is a post-exploitation technique rather than a direct entry point, but the consequence is severe: attackers could gain system-level access beyond Chrome's normal security boundaries.

Source data · NVD / CISA · public domain

CVSS
3.1 · 8.3 HIGH · CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
Weaknesses (CWE)
CWE-416
Affected products
2 configuration(s)
Published / Modified
2026-06-09 / 2026-06-17

NVD description (verbatim)

Use after free in Aura in Google Chrome on Windows prior to 149.0.7827.103 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-11631 is a use-after-free (CWE-416) vulnerability in Aura, the windowing and input-event system underlying Google Chrome's rendering pipeline. The vulnerability exists in Chrome versions prior to 149.0.7827.103 on Windows. An attacker who has already compromised the Chrome renderer process can craft a specially designed HTML page that triggers dereferencing of freed memory in Aura's rendering code. This memory corruption occurs within the context of the compromised renderer process, but the vulnerability's impact extends beyond normal process boundaries—it enables a sandbox escape that allows code execution at a privilege level above the sandboxed renderer.

Business impact

A successful exploitation chain combining an initial renderer compromise with this sandbox escape could allow an attacker to execute arbitrary code on a victim's Windows system with user-level privileges. In corporate environments, this could lead to lateral movement to other machines, data exfiltration, malware installation, or compliance violations. The vulnerability requires user interaction (visiting a malicious site) only after the renderer is already compromised, so the practical attack flow involves chaining this with other Chrome vulnerabilities. Organizations relying on Chrome as a secure boundary for untrusted content face elevated risk during the window before patch deployment.

Affected systems

Google Chrome running on Windows with versions before 149.0.7827.103 is affected. This includes all point releases and build variants of Chrome on Windows in the vulnerable version range. The vulnerability does not affect Chrome on macOS, Linux, or Android, nor does it affect Chromium-based browsers on Windows unless they incorporate the vulnerable Aura code unpatched. Google Chrome Enterprise users and consumer users alike are in scope.

Exploitability

Exploitability is currently limited because the vulnerability requires a prior renderer compromise; it is not a direct remote code execution vector on its own. The CVSS score of 8.3 reflects the high-privilege access (sandbox escape) and multi-stage attack chain: attackers must first exploit a separate vulnerability to gain renderer process control, then trigger this use-after-free with a crafted page. The vector AC:H (high attack complexity) reflects the necessary preconditions. No public exploit code or active in-the-wild exploitation has been confirmed as of the publication date. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog.

Remediation

Administrators and end users should update Google Chrome to version 149.0.7827.103 or later on Windows systems. For enterprise deployments, ensure managed Chrome instances are configured to auto-update or push the patch via device management policies. Verify patch deployment by checking Chrome's version in chrome://version. Until patching is complete, mitigate risk by restricting access to untrusted websites and enforcing strong authentication (MFA) to limit lateral movement impact if a compromise occurs.

Patch guidance

Google has released Chrome 149.0.7827.103 with the fix for this vulnerability. Enterprise customers using Google Chrome Enterprise can verify patch status via their admin console and deploy updates through managed deployment settings. For standard Chrome users, the browser will auto-update; verify the update by restarting Chrome and checking Settings > About Google Chrome. If auto-update is disabled in your environment, enable it or manually download the latest Chrome installer from google.com/chrome. Test patch deployment in a pilot group before organization-wide rollout.

Detection guidance

Monitor Chrome version numbers across your Windows fleet using endpoint detection and response (EDR) tools, asset inventory systems, or Chrome's enterprise reporting features. Look for any Chrome instances still running versions prior to 149.0.7827.103. Additionally, review browser history and network logs for evidence of visits to suspicious or attacker-controlled sites that might indicate exploitation attempts. Network-based detection is difficult because the attack requires prior renderer compromise; prioritize host-based patch verification and process monitoring for anomalous Chrome behavior (crashes, privilege escalation attempts).

Why prioritize this

Although this vulnerability requires a prior renderer exploit and is not directly exploitable from the network, it represents a critical elevation in attack consequence: a successful exploitation chain results in sandbox escape and potential system compromise. Organizations should prioritize patching Chrome to 149.0.7827.103 within 2–4 weeks, accounting for testing and gradual rollout. The fact that it is not yet in active use (not on KEV list) provides a window of opportunity to patch proactively before attackers chain it with other Chrome CVEs.

Risk score, explained

The CVSS 3.1 score of 8.3 (HIGH severity) is driven by: high confidentiality, integrity, and availability impact (sandbox escape allows arbitrary code execution); network attack vector (exploitation begins with a crafted webpage); low complexity once renderer is compromised; and changed scope (from renderer isolation to system access). The score is not CRITICAL despite Chromium's internal severity classification because CVSS accounts for the required prior compromise (low privileges needed to begin, but context-dependent). In practice, the true risk is moderate to high depending on whether other Chrome CVEs simplifying the renderer compromise are circulating.

Frequently asked questions

Do I need to patch if users don't visit untrusted websites?

Yes. Although the attack requires both a renderer compromise and a malicious page, the renderer can be compromised through other Chrome vulnerabilities that may be less obvious (embedded ads, compromised legitimate sites, supply-chain attacks). Patching removes the sandbox escape path regardless of browsing habits.

Is this vulnerability actively being exploited?

As of the publication date (June 2026), this vulnerability is not listed on CISA's Known Exploited Vulnerabilities catalog and no public exploits have been confirmed. However, it may be used in targeted attacks after patch information becomes widely known, so timely patching is important.

Does this affect Chrome on macOS or Linux?

No. This vulnerability is specific to Windows and Aura's integration with the Windows windowing system. Chrome on macOS, Linux, and Android is not affected.

What should we do if we discover a Chrome version older than 149.0.7827.103?

Immediately trigger an update through your patch management or device management system. If the system is business-critical, isolate it from sensitive network resources until patched. Review logs for evidence of compromise (crashes, unusual process behavior, or suspicious network connections).

This analysis is provided for informational and defensive purposes. SEC.co makes no warranty regarding the accuracy or completeness of this content, and it is not a substitute for vendor security advisories. Always verify patch versions, affected product lists, and remediation guidance against official Google Chrome security bulletins and your environment's configuration. Readers should conduct their own risk assessment and consult with internal security teams before implementing remediation. Exploitability and active exploitation status are based on information available at the time of publication and may change; refer to CISA KEV and security news sources for current threat intelligence. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).