CVE-2026-11635: Chrome Bluetooth Use-After-Free Sandbox Escape (macOS)
A use-after-free memory vulnerability exists in the Bluetooth component of Google Chrome on macOS. An attacker who already compromises a website's renderer process can exploit this flaw through a specially crafted HTML page to escape the browser sandbox and run code at system level. This is a chained attack—the initial compromise of the renderer process is prerequisite, but once achieved, the vulnerability enables full sandbox bypass with high impact.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.3 HIGH · CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-416
- Affected products
- 2 configuration(s)
- Published / Modified
- 2026-06-09 / 2026-06-17
NVD description (verbatim)
Use after free in Bluetooth in Google Chrome on Mac prior to 149.0.7827.103 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-11635 is a use-after-free (CWE-416) bug in Chrome's Bluetooth implementation on macOS prior to version 149.0.7827.103. The vulnerability occurs when a memory object is freed but later accessed without proper validation. An attacker controlling the renderer process can trigger this condition via malicious HTML, leading to arbitrary code execution in the privileged context outside the sandbox. The attack requires user interaction (visiting a crafted page) and depends on overcoming address space layout randomization (ASLR), reflected in the CVSS AC:H (attack complexity: high) rating.
Business impact
Successful exploitation allows an attacker to fully compromise a macOS system running Chrome. While the vulnerability requires a prior renderer compromise, it effectively negates the security boundary that isolates web content from the operating system. For organizations relying on browser sandboxing as a defense layer, this represents a critical escalation path. Affected users could face data theft, malware installation, or lateral movement into corporate networks.
Affected systems
Google Chrome versions prior to 149.0.7827.103 running on macOS are vulnerable. The Bluetooth component is implicated, though the HTML-based trigger vector suggests the flaw may be reachable through normal web browsing if a user's renderer process has already been compromised. Windows and Linux Chrome versions are not affected by this particular vulnerability.
Exploitability
Exploitation requires two preconditions: (1) compromise of the Chrome renderer process (typically through a separate browser vulnerability, malicious website, or malware), and (2) user interaction to visit the attacker-controlled HTML page. The CVSS score reflects high impact but moderate attack complexity due to ASLR mitigation. This is not remotely exploitable in a single step from an unauthenticated network position. However, in scenarios where a renderer is already compromised, exploitation becomes highly likely. The vulnerability is not currently tracked in the CISA Known Exploited Vulnerabilities (KEV) catalog, suggesting limited public exploitation at the time of publication.
Remediation
Update Google Chrome to version 149.0.7827.103 or later. Verify the update through Settings > About Google Chrome, which auto-checks for updates. For managed deployments, push this update immediately via your organization's Chrome deployment tools (Jamf, Intune, or equivalent MDM solutions). Interim mitigations include disabling Bluetooth-related features if not required, though sandboxing bypass protection ultimately depends on patching.
Patch guidance
Install Chrome 149.0.7827.103 or any subsequent release. This update addresses the use-after-free condition. Verify patch application by checking chrome://version/ after restart. For enterprise deployments, use your MDM system to enforce mandatory updates and audit compliance across devices. No manual configuration changes are required; patching is the sole remediation path.
Detection guidance
Monitor Chrome crash logs and system logs for unusual Bluetooth-related process termination or escalation events on macOS. Detection is challenging because the vulnerability exploits memory corruption; signature-based detection of the HTML trigger is not practical without access to attacker infrastructure. Focus on behavioral detection: watch for Chrome spawning unexpected child processes with elevated privileges or attempts to access sensitive system areas. Endpoint detection and response (EDR) tools should flag renderer process escalations. Threat hunting should prioritize systems running unpatched Chrome versions in conjunction with suspicious web activity.
Why prioritize this
Despite a CVSS score of 8.3 (HIGH), this vulnerability merits urgent patching because: (1) it enables sandbox escape, the last line of defense for browser-based attacks; (2) macOS users in security-sensitive roles are frequent targets; (3) the attack chain, while requiring an initial renderer compromise, is plausible in targeted campaigns; (4) the attack complexity is moderate, not exceptional. Prioritize patching ahead of routine updates but acknowledge that pre-existing renderer compromise is a dependency that may lower relative risk in environments with strong web filtering and malware prevention.
Risk score, explained
The CVSS 3.1 score of 8.3 reflects: (1) HIGH impact across confidentiality, integrity, and availability due to code execution outside the sandbox; (2) NETWORK attack vector allowing delivery via web content; (3) HIGH attack complexity reflecting ASLR and the need to achieve a precise memory state; (4) NO privilege requirement (the attacker leverages already-compromised renderer context); (5) REQUIRED user interaction (visiting the HTML page); and (6) CHANGED scope (escaping the sandbox affects the host OS, not just the browser process). The score appropriately captures a dangerous privilege escalation but does not account for the prerequisite renderer compromise, which some organizations may mitigate through separate controls.
Frequently asked questions
Do I need Bluetooth enabled to be affected?
The vulnerability exists in Chrome's Bluetooth component, but the triggering HTML payload is delivered through normal web browsing. You do not need an active Bluetooth connection; the flaw is in the code path, and a crafted page can invoke it regardless of Bluetooth status.
Does this affect Chrome on Windows or Linux?
No. This vulnerability is specific to macOS. Chrome on Windows and Linux does not contain this particular use-after-free condition in the Bluetooth implementation.
What if my renderer process is already compromised—should I assume exploitation?
Not necessarily. The vulnerability requires an attacker to both compromise the renderer and then deliver a specific HTML payload to trigger the memory corruption. However, if you detect renderer compromise through other means, prioritize this patch immediately. Assume the attacker has the capability to escalate if they control the rendering context.
Will updating Chrome break Bluetooth functionality?
No. The update fixes the vulnerability without removing or degrading Bluetooth features in Chrome. All functionality is preserved in version 149.0.7827.103 and later.
This analysis is provided for informational purposes based on publicly disclosed vulnerability data. No working exploit code is described herein. Organizations should verify all patch versions and guidance against official vendor advisories (Google Chrome Release Notes, Apple Security Updates) before deployment. This vulnerability requires a prior renderer process compromise; isolated patching alone does not mitigate all upstream attack vectors. Consult your vendor and security team regarding applicability to your environment. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10001HIGHChrome Sandbox Escape via PerformanceManager Use-After-Free
- CVE-2026-10002HIGHGoogle Chrome PDFium Use-After-Free Vulnerability (CVSS 8.8)
- CVE-2026-10003HIGHChrome Use-After-Free Code Execution Vulnerability Analysis
- CVE-2026-10005HIGHChrome macOS Use-After-Free RCE Vulnerability (7.5 CVSS)
- CVE-2026-10007HIGHChrome Use-After-Free in SVG Arbitrary Code Execution (CVSS 8.8)
- CVE-2026-10012HIGHChrome Skia Use-After-Free Sandbox Escape (v148.0.7778.216)
- CVE-2026-10013HIGHUse-After-Free in Chrome WebCodecs – Patch Guide & Risk Assessment
- CVE-2026-10016HIGHUse-After-Free in Chrome DOM – Sandbox Code Execution Vulnerability