HIGH 7.5

CVE-2026-11639: Critical Use-After-Free in Chrome macOS Compositing Engine

A use-after-free memory safety flaw exists in Google Chrome's compositing engine on macOS. If you visit a malicious webpage, an attacker could exploit this vulnerability to run arbitrary code on your system with the privileges of the Chrome process. The vulnerability was patched in Chrome 149.0.7827.103 and later versions.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.5 HIGH · CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-416
Affected products
2 configuration(s)
Published / Modified
2026-06-09 / 2026-06-17

NVD description (verbatim)

Use after free in Compositing in Google Chrome on Mac prior to 149.0.7827.103 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: Critical)

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-11639 is a use-after-free vulnerability (CWE-416) in the compositing subsystem of Chromium on macOS. Use-after-free occurs when an object is accessed after its memory has been freed, allowing attackers to corrupt heap state or execute code. In this case, the flaw exists prior to Chrome 149.0.7827.103. The attack requires user interaction (visiting a crafted HTML page) but does not require authentication or elevated privileges to initiate. Once triggered, the vulnerability permits arbitrary code execution in the context of the browser process.

Business impact

For organizations with macOS-based workforces relying on Chrome, this vulnerability poses a direct risk of code execution and potential system compromise through web browsing alone. An attacker could gain a foothold to steal credentials, access sensitive data, install malware, or pivot laterally into internal systems. The human interaction requirement (visiting a malicious site) is a realistic attack vector via phishing, watering-hole attacks, or compromised advertising networks. Unpatched systems create material breach risk, especially for knowledge workers, remote staff, and developers.

Affected systems

Google Chrome versions prior to 149.0.7827.103 on macOS are affected. This includes all macOS users (Intel and Apple Silicon) running Chrome build 149.0.7827.102 and earlier. Windows and Linux versions of Chrome are not affected by this specific compositing vulnerability, though they may be vulnerable to other issues. Chrome on other platforms should be verified against the official Chrome releases page.

Exploitability

Exploitability is moderate due to the requirement for user interaction—a victim must visit or be redirected to a attacker-controlled webpage. However, this is not a high bar in practice given the prevalence of phishing, social engineering, and drive-by downloads. No known public exploit exists at the time of CVE publication (as this is not yet listed in CISA's Known Exploited Vulnerabilities catalog), but the critical severity rating from Chromium and the straightforward attack surface (arbitrary code execution) mean active exploitation is plausible once tooling becomes available or details spread.

Remediation

Update Google Chrome to version 149.0.7827.103 or later immediately on all macOS systems. Chrome's auto-update mechanism should deploy the patch, but verify completion by navigating to Chrome Menu > About Google Chrome and checking the current version. For enterprise deployments, enforce Chrome update policies and validate patch deployment across your fleet. No workarounds mitigate the underlying flaw; patching is mandatory.

Patch guidance

Verify that Chrome has updated to 149.0.7827.103 or later via the About Chrome page, which will prompt installation and automatic restart if an update is pending. For managed environments, use Chrome Enterprise's update policies (via ADMX templates on Windows or MDM profiles on macOS) to enforce the minimum version requirement. Test patch deployment in a non-production environment first if you manage a large fleet. Also ensure macOS itself is kept current, as OS-level mitigations can reduce attack surface.

Detection guidance

Monitor for Chrome crashes or unexpected process termination on macOS systems, which may indicate exploitation attempts. In network logs, look for outbound connections from Chrome to suspicious or unfamiliar domains that users did not intentionally visit. Endpoint detection and response (EDR) tools should flag heap corruption attempts or unusual memory access patterns. Review browser history on potentially compromised machines for unfamiliar websites visited around the time of suspicious activity. If available, enable Chrome's Security Hub to audit extension and plugin permissions post-patch.

Why prioritize this

This is a high-priority issue meriting immediate patching due to: (1) remote code execution capability requiring only user interaction, (2) affects a ubiquitous application with daily user engagement, (3) macOS is a common platform for knowledge workers and executives, (4) no public exploit exists yet but the attack surface is straightforward. Organizations should treat this as a critical remediation item for all macOS-based Chrome users, especially those handling sensitive data or high-value accounts.

Risk score, explained

The CVSS 3.1 score of 7.5 (HIGH) reflects the high impact (confidentiality, integrity, and availability all set to High) balanced against the moderating factor of attack complexity and required user interaction. While the Chromium security rating is Critical, the CVSS score accounts for the practical requirement that a user must be tricked into visiting a malicious page. The score appropriately captures the significant but not

Frequently asked questions

Does this affect Chrome on Windows or Linux?

No. This specific use-after-free in the compositing engine only affects Chrome on macOS. Windows and Linux users are not vulnerable to CVE-2026-11639, though they should maintain up-to-date Chrome for other security patches. Check the official Chrome security releases page for platform-specific details.

If I have Chrome set to auto-update, am I protected?

Chrome's auto-update feature will deploy version 149.0.7827.103 or later automatically, but you may need to restart the browser to apply the patch. Visit Chrome Menu > About Google Chrome to force an immediate check and see your current version. Verify it matches 149.0.7827.103 or higher.

Can an attacker exploit this without me visiting a malicious site?

Not directly. The attacker must trick you into visiting a crafted webpage—via phishing email, malicious ad, compromised legitimate site, or similar means. Simply having Chrome open is not enough; you must actually navigate to or be redirected to the attacker's page. Practice caution with unexpected links and verify URLs before clicking.

What if I use Chrome in a sandbox or container on macOS?

Sandboxing within Chrome itself (such as running extensions or content in isolated processes) provides layered defense, but does not eliminate the vulnerability. The compositing flaw exists in the core browser engine, so all Chrome users on affected versions must patch regardless of how they run the browser. For additional protection, consider running untrusted sites in isolated virtual machines or containers at the OS level.

This analysis is provided for informational purposes and reflects the state of information as of the publication date. SEC.co does not guarantee the completeness or accuracy of third-party vendor advisories or patch status; always verify patch versions and compatibility with your specific environment and vendor documentation. No liability is accepted for actions taken or not taken based on this content. Organizations are responsible for conducting independent risk assessments and patch testing before deployment. Information in this page may change as additional details emerge; check back for updates. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).