CVE-2026-11633: Chrome Bluetooth Use-After-Free RCE on macOS
Google Chrome on macOS contains a use-after-free vulnerability in its Bluetooth handling code. This flaw allows a remote attacker to execute arbitrary code on a victim's machine if that person connects to or interacts with a malicious Bluetooth peripheral while using an unpatched version of Chrome. The vulnerability affects Chrome versions prior to 149.0.7827.103 on Mac systems.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.8 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-416
- Affected products
- 2 configuration(s)
- Published / Modified
- 2026-06-09 / 2026-06-17
NVD description (verbatim)
Use after free in Bluetooth in Google Chrome on Mac prior to 149.0.7827.103 allowed a remote attacker to execute arbitrary code via a malicious peripheral. (Chromium security severity: Critical)
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-11633 is a use-after-free (CWE-416) condition in Chrome's Bluetooth subsystem on macOS. Use-after-free vulnerabilities occur when a program continues to reference memory that has been deallocated, allowing an attacker to corrupt memory state or divert execution flow. In this case, the flaw exists in Bluetooth peripheral handling logic, enabling remote code execution when a user's device interfaces with a specially crafted Bluetooth device. The vulnerability was assigned a CVSS 3.1 score of 8.8 (HIGH) with a network-based attack vector, low complexity, no privilege requirements, and user interaction needed—reflected by the vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. Google classified it as Critical severity.
Business impact
Successful exploitation could lead to complete compromise of the affected Chrome process and potentially the host system. An attacker gaining arbitrary code execution can steal credentials, install malware, exfiltrate sensitive data, or pivot to other systems on the network. For organizations where macOS users rely on Chrome for business-critical workflows—particularly those handling financial transactions, intellectual property, or customer data—this vulnerability represents a material risk to confidentiality, integrity, and availability.
Affected systems
Google Chrome on macOS versions prior to 149.0.7827.103 are vulnerable. The attack surface is limited to users who connect or attempt to pair with a malicious Bluetooth peripheral while running unpatched Chrome. On-premises and remote workers with macOS devices are potentially affected if their systems have Bluetooth enabled and they interact with untrusted Bluetooth devices.
Exploitability
The vulnerability requires user interaction (pairing or connecting to a Bluetooth device), which lowers the attack ease compared to a fully passive vector. However, the attack surface remains broad: a malicious actor could deploy a crafted Bluetooth device in public spaces, workplaces, or use it to target specific individuals. Social engineering (e.g., 'connect to this headset for better call quality') could be leveraged. The CVSS network-based vector indicates the malicious peripheral does not require physical proximity to execute the initial exploitation phase, though Bluetooth range constraints apply in practice.
Remediation
Update Google Chrome on macOS to version 149.0.7827.103 or later. This patch addresses the use-after-free condition in Bluetooth handling. Users should verify the update has been applied by checking Chrome's version under 'About Google Chrome,' which will automatically update if available. Disable Bluetooth on macOS systems when not in active use to reduce exposure. Do not connect to unfamiliar or suspicious Bluetooth devices.
Patch guidance
Google has released Chrome 149.0.7827.103 for macOS containing the fix for CVE-2026-11633. Enable automatic updates in Chrome settings to receive patches promptly. For organizations managing Chrome deployments, verify compatibility with enterprise policies and any third-party Chrome extensions before rolling out the patch. If manual updates are required, administrators should test in a staging environment first, then deploy to production endpoints systematically to minimize disruption.
Detection guidance
Monitor for unexpected Chrome crashes or unusual Bluetooth connection attempts from employee devices. Endpoint Detection and Response (EDR) tools should flag suspicious Bluetooth pairing events or abnormal process execution spawned from Chrome. Review Chrome crash reports and system logs for segmentation faults or memory access violations correlating with Bluetooth interactions. Network monitoring can detect outbound communication from compromised Chrome processes that may indicate command-and-control activity or data exfiltration post-exploitation.
Why prioritize this
This vulnerability merits immediate attention due to its critical severity classification from Google, high CVSS score (8.8), and potential for arbitrary code execution. Although user interaction is required, the attack vector is feasible in real-world scenarios. Organizations with significant macOS populations and high-value data should prioritize patching. The lack of KEV inclusion suggests active in-the-wild exploitation has not yet been confirmed at publication, but the criticality warrants treating it as a high-priority patch.
Risk score, explained
The CVSS 3.1 score of 8.8 (HIGH) reflects the severity of arbitrary code execution impact (Confidentiality, Integrity, and Availability all rated High) combined with a low-complexity attack and no privilege escalation required. The Network attack vector and User Interaction requirement prevent a Critical rating despite the severe impact. Google's own Critical severity designation reflects their assessment of real-world risk and the trustworthiness of the Chromium threat model; organizations should weight both the CVSS score and Google's guidance when determining patch urgency.
Frequently asked questions
Do I need Bluetooth enabled for this vulnerability to affect me?
Yes. The vulnerability requires interaction with a malicious Bluetooth peripheral. If Bluetooth is disabled on your macOS device, the attack surface is eliminated. However, disabling Bluetooth entirely may not be practical for all users; in that case, focus on avoiding connections to unfamiliar or suspicious Bluetooth devices and keeping Chrome updated.
Will my Chrome extensions protect me from this vulnerability?
No. This is a memory safety flaw in Chrome's core Bluetooth handling code, not a content-based attack. Extensions cannot mitigate use-after-free conditions. The only effective protection is updating to Chrome 149.0.7827.103 or later.
If I'm already updated to the latest Chrome, am I safe?
If you are running Chrome 149.0.7827.103 or later on macOS, this specific vulnerability is patched. However, ensure you have automatic updates enabled so you receive future security patches without manual intervention. Check 'About Google Chrome' to confirm your version.
Could this affect Chrome on Windows or Linux?
No. CVE-2026-11633 is specific to Chrome on macOS due to differences in how the Bluetooth stack integrates with each operating system. Windows and Linux users are not affected by this particular vulnerability, though they should remain vigilant for other platform-specific issues.
This analysis is based on publicly available vulnerability data as of the publication date. Organizations should verify patch availability and compatibility with their specific Chrome deployment version before implementing updates. SEC.co does not provide warranty or guarantee of exploit availability, active in-the-wild attacks, or real-world impact. Always test patches in a controlled environment before broad deployment. For the most current information, consult Google's official security advisory and your organization's vulnerability management processes. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10001HIGHChrome Sandbox Escape via PerformanceManager Use-After-Free
- CVE-2026-10002HIGHGoogle Chrome PDFium Use-After-Free Vulnerability (CVSS 8.8)
- CVE-2026-10003HIGHChrome Use-After-Free Code Execution Vulnerability Analysis
- CVE-2026-10005HIGHChrome macOS Use-After-Free RCE Vulnerability (7.5 CVSS)
- CVE-2026-10007HIGHChrome Use-After-Free in SVG Arbitrary Code Execution (CVSS 8.8)
- CVE-2026-10012HIGHChrome Skia Use-After-Free Sandbox Escape (v148.0.7778.216)
- CVE-2026-10013HIGHUse-After-Free in Chrome WebCodecs – Patch Guide & Risk Assessment
- CVE-2026-10016HIGHUse-After-Free in Chrome DOM – Sandbox Code Execution Vulnerability