HIGH 8.8

CVE-2026-11637: Chrome macOS Use-After-Free RCE Vulnerability

A use-after-free vulnerability exists in Google Chrome's Views component on macOS that allows attackers to execute arbitrary code on a victim's machine. The flaw is triggered when a user visits a specially crafted webpage, requiring no special privileges or complex setup. Google has classified this as a critical severity issue in the underlying Chromium project. This vulnerability affects Chrome versions prior to 149.0.7827.103 on macOS systems.

Source data · NVD / CISA · public domain

CVSS
3.1 · 8.8 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-416
Affected products
2 configuration(s)
Published / Modified
2026-06-09 / 2026-06-17

NVD description (verbatim)

Use after free in Views in Google Chrome on Mac prior to 149.0.7827.103 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: Critical)

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-11637 is a use-after-free memory corruption vulnerability (CWE-416) located in Chrome's Views subsystem on macOS. The vulnerability permits a remote, unauthenticated attacker to trigger a code execution condition through a maliciously crafted HTML payload. The attack surface is the browser rendering engine itself—when a victim navigates to an attacker-controlled or compromised website, the malformed content can cause the Views component to reference memory that has already been freed, leading to out-of-bounds memory access and potential control flow hijacking. The CVSS 3.1 score of 8.8 reflects the high confidentiality, integrity, and availability impact, with network-based attack vector and user interaction requirement as the only limiting factors.

Business impact

This vulnerability poses a direct and immediate threat to macOS users running affected Chrome versions. Successful exploitation allows attackers to achieve full code execution in the context of the Chrome process, potentially enabling data theft, system compromise, credential harvesting, or lateral movement into corporate networks. For organizations with macOS-based workforces, unpatched Chrome installations represent a critical attack surface. The low attack complexity and requirement for only user interaction (clicking a link or visiting a compromised site) mean this threat is operationally viable at scale, particularly in phishing or watering-hole attack scenarios.

Affected systems

Google Chrome on macOS operating systems versions prior to 149.0.7827.103 are vulnerable. The vulnerability is specific to the macOS platform; Chrome on Windows and Linux are not affected by this particular issue in the Views component. Any macOS system with Chrome installed and unpatched should be considered at risk.

Exploitability

This vulnerability is exploitable with moderate effort by a skilled attacker. No special network position, authentication, or user privileges are required—only that a victim visit a crafted webpage. The user interaction requirement (visiting the page) is a minor friction factor but does not significantly reduce real-world exploitability given the prevalence of phishing, watering-hole attacks, and compromised legitimate websites. The Chromium project's classification as 'Critical' severity indicates Google's assessment that this could be quickly weaponized. Currently, the vulnerability is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, though this status may change as exploitation becomes more widespread.

Remediation

Users and administrators should immediately update Google Chrome on macOS to version 149.0.7827.103 or later. Google typically delivers these updates automatically; however, administrators should verify that the update has been applied, particularly in managed environments. For enterprise deployments, Chrome policy settings can enforce automatic updates and prevent users from running older versions. Organizations should prioritize this update for all macOS endpoints.

Patch guidance

Update Chrome on macOS to version 149.0.7827.103 or later as soon as possible. In managed environments, use Chrome Enterprise policies (chrome://policy on Windows/Linux, or System Preferences profiles on macOS) to enforce the minimum version requirement and enable automatic updates. Verify the installed version via Chrome menu > About Google Chrome; the browser will automatically check for updates and prompt installation. For organizations unable to immediately patch, enforce network segmentation and browser isolation technologies to limit the damage surface should compromise occur.

Detection guidance

Monitor for Chrome processes accessing unusual memory regions or triggering segmentation faults on macOS systems running Chrome versions prior to 149.0.7827.103. Review browser history and DNS logs for visits to suspicious or attacker-controlled domains. Endpoint Detection and Response (EDR) solutions should flag unexpected child processes spawned from the Chrome browser process, as successful exploitation would likely result in code execution. Check for unusual outbound network connections from Chrome that may indicate data exfiltration or command-and-control communication post-compromise.

Why prioritize this

This vulnerability warrants immediate prioritization due to the combination of critical severity rating from Google, high CVSS score (8.8), ease of exploitation, and the ubiquity of Chrome in modern workplaces. The attack vector is remote and requires only user interaction—a low bar for large-scale compromise campaigns. Any macOS-using organization, particularly those in high-value industries (finance, healthcare, technology), should treat this as urgent. The absence of exploitation data in public KEV listings should not lower urgency; it may simply reflect disclosure timing and detection lag rather than actual non-exploitation.

Risk score, explained

The CVSS 3.1 score of 8.8 (HIGH) reflects a network-accessible vulnerability with low attack complexity and user interaction requirement, resulting in high impact across confidentiality, integrity, and availability (C:H/I:H/A:H). The score appropriately captures the severity of arbitrary code execution as the outcome. The absence of privilege escalation (scope unchanged) and the requirement for user interaction prevent this from achieving a 9.0+ CRITICAL score in the CVSS framework, despite Google's internal 'Critical' severity classification, which weighs factors like deployability and real-world exploitability that CVSS does not capture.

Frequently asked questions

Does this vulnerability affect Chrome on Windows or Linux?

No. CVE-2026-11637 is specific to the macOS platform. The use-after-free in the Views component affects only Chrome on macOS versions prior to 149.0.7827.103. Windows and Linux users are not impacted by this particular issue, though they should maintain current patch levels for other security issues.

Can this be exploited without user interaction?

No. The attack requires a user to visit or interact with a crafted HTML page. However, this is a low friction requirement—victims need only click a link in an email, visit a compromised website, or be redirected through a watering-hole attack. It is not a protection factor in realistic threat scenarios.

Is this vulnerability currently being exploited in the wild?

As of the publication date, this vulnerability is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog. However, the absence of public reports does not mean exploitation is not occurring—detection lag and attribution difficulties mean some attacks may go unreported. Given the ease of exploitation and high severity, organizations should assume potential exploitation and patch immediately.

What should I do if I cannot patch Chrome immediately?

Implement browser isolation or sandboxing solutions to limit the blast radius of compromise. Enforce strict Content Security Policies, block access to known attacker infrastructure, and increase monitoring for suspicious Chrome process behavior. Use network segmentation to prevent compromised endpoints from accessing sensitive systems. However, these are temporary measures—patch as soon as possible.

This analysis is provided for informational purposes based on publicly available data current as of the publication date. The vulnerability details, affected versions, and patch information are derived from official vendor advisories and CVE databases. Organizations should verify patch applicability and compatibility within their environment before deployment. SEC.co makes no warranty regarding the completeness or accuracy of third-party vendor data. For the most current information, consult Google Chrome's official security advisory and your organization's vulnerability management processes. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).