HIGH 7.5

CVE-2026-11636: Critical Use-After-Free in Chrome Autofill on Windows

A use-after-free vulnerability exists in Google Chrome's Autofill feature on Windows systems. An attacker can craft a malicious HTML page that, when combined with specific user interactions, may trigger memory corruption leading to code execution. The vulnerability requires user interaction—specifically certain UI gestures—to be exploited, but once triggered, the impact is severe. Chrome versions prior to 149.0.7827.103 are affected.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.5 HIGH · CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-416
Affected products
2 configuration(s)
Published / Modified
2026-06-09 / 2026-06-17

NVD description (verbatim)

Use after free in Autofill in Google Chrome on Windows prior to 149.0.7827.103 allowed a remote attacker who convinced a user to engage in specific UI gestures to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Critical)

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-11636 is a use-after-free (CWE-416) flaw in the Autofill subsystem of Google Chrome on Windows. The vulnerability arises when memory is accessed after being freed, allowing an attacker to manipulate heap state through a specially crafted HTML document. Successful exploitation requires convincing a user to perform specific UI interactions—such as autofill form submissions or interactions with saved credentials. When triggered, the heap corruption can lead to arbitrary code execution with the privileges of the Chrome process. The Chromium project assigned this a Critical severity rating internally.

Business impact

Exploitation of this vulnerability could allow an attacker to execute arbitrary code on a user's Windows machine via a compromised or malicious website. This is particularly concerning in enterprise environments where Chrome is widely deployed. A successful attack could lead to data theft, malware installation, lateral movement within networks, or compromise of sensitive information stored in Chrome's credential vault. The requirement for user interaction reduces—but does not eliminate—risk in phishing or social engineering scenarios. Organizations should prioritize patching to prevent potential data breaches and system compromise.

Affected systems

Google Chrome running on Windows systems with versions prior to 149.0.7827.103 are vulnerable. The vulnerability does not affect Chrome on other operating systems (Linux, macOS, Android) based on the vendor disclosure. Both personal and enterprise Chrome deployments are affected. Chromebook users and Linux/Mac Chrome users are not impacted by this specific flaw.

Exploitability

While the CVSS score of 7.5 reflects moderate network-based exploitability, the practical barrier to exploitation is the requirement for specific user UI gestures. An attacker cannot exploit the vulnerability silently or without user action. However, this user interaction requirement is often fulfilled through social engineering, phishing campaigns directing users to crafted pages, or compromised legitimate websites. The complexity of reliably triggering the vulnerability and converting memory corruption into code execution raises the practical attack difficulty, but successful exploitation is possible with careful crafting of both HTML payload and interaction guidance.

Remediation

Update Google Chrome to version 149.0.7827.103 or later. Users can verify their Chrome version by navigating to chrome://settings/help, where Chrome will automatically check for and apply available updates. Organizations should enforce automated updates via Chrome policies (chrome://policy) or deploy patches through endpoint management systems. No workaround exists other than updating; disabling Autofill reduces but does not eliminate the attack surface.

Patch guidance

Patch availability: Google Chrome 149.0.7827.103 and later contain the fix for this vulnerability. Release timeline: Updates are typically rolled out gradually across user bases, so verify successful installation on critical systems. Enterprise customers should use Chrome Enterprise policies to manage rollout, prioritizing systems with high user-facing exposure. Test patches in a representative environment before enterprise-wide deployment to ensure no compatibility issues with internal web applications or extensions. Automated Chrome updates are enabled by default; manual checking via chrome://settings/help is recommended for immediate verification.

Detection guidance

Monitor for exploitation attempts by observing Chrome crash dumps and Windows Event Viewer logs for abnormal Chrome process behavior or memory access violations. Network-based detection is limited but may include identifying traffic patterns to known attacker infrastructure or malicious domains hosting exploit pages. Endpoint detection and response (EDR) solutions should flag unusual heap corruption patterns or unexpected process spawning from Chrome. Consider monitoring autofill interactions and form submissions for suspicious patterns. Log review of any Chrome component crashes may provide early indicators of exploitation attempts in your environment.

Why prioritize this

Although the CVSS score is 7.5 (HIGH), the Chromium project's internal Critical rating and the potential for remote code execution warrant expedited patching. The user-interaction requirement keeps this below the highest urgency tier, but the widespread deployment of Chrome and the severity of potential compromise make this a priority-one patching task for most organizations. This should be addressed within your standard critical patch cycle—ideally within 1–2 weeks.

Risk score, explained

The CVSS 3.1 vector (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H) yields a score of 7.5. The score reflects network-based attack feasibility (AV:N), high attack complexity due to the need for reliable heap exploitation and user gestures (AC:H), no privilege requirements (PR:N), required user interaction (UI:R), confidentiality and integrity impacts from code execution, and high availability impact. The relatively lower score compared to the internal Critical rating underscores that CVSS does not fully capture the practical threat posed by widespread Chrome usage and the reliability of social engineering delivery mechanisms.

Frequently asked questions

Do all Chrome users need to update immediately?

Yes. While the vulnerability requires user interaction, the combination of widespread Chrome deployment, high-impact potential (code execution), and ease of social engineering delivery makes this a priority update for all users. Enterprise administrators should enforce updates across their infrastructure within 1–2 weeks.

Is my data automatically encrypted or safe if I use Chrome Sync?

No. A successful exploit could allow an attacker to access data in the Chrome profile, including synced passwords and saved credentials. Patching is essential to prevent credential theft. Chrome Sync encryption protects data in transit to Google servers but does not protect against local compromise via this vulnerability.

Can disabling Autofill fully protect me?

Disabling Autofill in chrome://settings/passwords reduces the attack surface but does not eliminate it entirely, as the vulnerability may be exploitable through other form-interaction vectors. Patching is the only reliable mitigation.

Why is the CVSS score 7.5 if Chromium called it Critical?

CVSS scores reflect standardized severity based on technical attributes, while vendor-specific severity ratings (like Chromium's Critical) also consider exploit prevalence, deployment scale, and threat landscape context. The 7.5 score accurately reflects the technical severity; the Critical rating reflects the high real-world impact due to Chrome's ubiquity and the RCE potential.

This analysis is provided for informational purposes and based on publicly available vulnerability data as of the publication date. No exploit code or detailed attack methodologies are provided. Organizations should verify patch applicability and perform testing in their environments before deployment. This guidance does not constitute professional security advice; consult your organization's security team and vendor advisories for environment-specific decisions. Timelines and severity assessments may change as new information emerges. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).