CVE-2026-11641: Critical Use-After-Free in Chrome Bluetooth on Windows
A memory safety flaw in Google Chrome's Bluetooth implementation on Windows allows attackers to crash the browser or run malicious code if they can trick a user into specific interactions with a specially crafted webpage. The vulnerability requires user action and doesn't grant automatic exploitation, but once triggered, it could give an attacker full control over the affected browser process and any data within it.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.5 HIGH · CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-416
- Affected products
- 2 configuration(s)
- Published / Modified
- 2026-06-09 / 2026-06-17
NVD description (verbatim)
Use after free in Bluetooth in Google Chrome on Windows prior to 149.0.7827.103 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code via a crafted HTML page. (Chromium security severity: Critical)
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-11641 is a use-after-free vulnerability (CWE-416) in Chrome's Bluetooth subsystem. When the Bluetooth module processes certain sequences of operations after freeing memory, subsequent interactions with that freed memory can lead to memory corruption. An attacker can craft HTML content that, combined with targeted UI gestures from the user, causes the freed memory to be reallocated and controlled by malicious code, resulting in arbitrary code execution within the Chrome process context on Windows systems running versions prior to 149.0.7827.103.
Business impact
This vulnerability poses a significant risk to organizations where employees browse untrusted content or interact with potentially malicious websites. Successful exploitation could allow attackers to steal sensitive data from browser memory, install malware, compromise email credentials stored in the browser, or pivot to internal systems. The requirement for user interaction somewhat limits mass exploitation, but phishing campaigns or watering-hole attacks could be effective delivery vectors. Organizations should prioritize patching exposed systems to prevent data theft and lateral movement.
Affected systems
Google Chrome on Microsoft Windows versions prior to 149.0.7827.103 are vulnerable. This includes all stable, beta, and earlier release channels on Windows. Users on macOS and Linux are not affected by this specific Bluetooth-related flaw. Enterprise deployments using managed Chrome instances and standard Windows environments are equally at risk if unpatched.
Exploitability
The vulnerability requires convincing a user to visit a malicious website and perform specific UI gestures (such as enabling Bluetooth, interacting with Bluetooth dialogs, or triggering specific browser actions). This is not an unauthenticated network-based wormable flaw. However, the bar for user interaction is moderate—phishing emails with urgent-looking links or compromised websites could successfully deliver the exploit to unsuspecting users. The Chromium security team classified this as Critical severity, reflecting the severity of the impact if triggered, even though exploitation is not automatic.
Remediation
Update Google Chrome to version 149.0.7827.103 or later immediately. This patch addresses the underlying memory management issue in the Bluetooth implementation. For enterprise environments, configure automatic updates or deploy the patch through your standard patch management process. Verify the update has been applied by checking Chrome's version in Settings > About Chrome, which will also automatically check for and install any pending updates.
Patch guidance
Chrome version 149.0.7827.103 and all subsequent versions contain the fix. Users can enable automatic updates (the default setting) to receive the patch without manual intervention. Enterprise administrators should verify patch deployment using your endpoint management solution and confirm that Chrome instances have updated successfully. Check the Chromium release notes for any compatibility considerations, though this memory fix should not affect normal browsing.
Detection guidance
Monitor for crashed Chrome processes, particularly those involving Bluetooth functionality, as failed exploitation attempts may leave detectable artifacts. Endpoint detection and response (EDR) tools should flag processes spawning suspicious child processes from Chrome or unexpected code execution within browser memory. Web proxy logs showing visits to known malicious domains should be correlated with subsequent Chrome crashes or suspicious behavior on affected systems. However, successful exploitation may be difficult to detect if the attacker maintains stealth; focus on prevention through patching.
Why prioritize this
Although this requires user interaction, the combination of high impact (arbitrary code execution in browser context), the prevalence of Windows and Chrome in enterprises, the ease of delivering a phishing link to trigger user interaction, and the moderate complexity of exploitation make this a high-priority patch. The Chromium Critical rating and high CVSS score reflect the severity if exploited. Organizations should treat this as urgent and allocate resources to rapid patch deployment.
Risk score, explained
The CVSS 3.1 score of 7.5 (HIGH) reflects high confidentiality, integrity, and availability impact (arbitrary code execution) balanced against the requirement for user interaction and moderately complex attack conditions. The score appropriately captures that while the impact is severe, the attack is not network-automatic. The Chromium Critical designation emphasizes the practical severity and real-world risk, which aligns with the HIGH CVSS rating.
Frequently asked questions
Can I be exploited just by visiting a website, or do I need to do something specific?
An attacker needs to both serve a malicious webpage and convince you to perform specific UI gestures—such as enabling Bluetooth, interacting with Bluetooth settings, or engaging with browser dialogs related to Bluetooth. Simply visiting a page is insufficient; the attacker must engineer the interaction. This makes mass-scale silent exploitation unlikely, but phishing and social engineering are effective delivery methods.
If I'm on macOS or Linux, am I affected?
No. This vulnerability is specific to the Windows implementation of Chrome's Bluetooth handling. macOS and Linux Chrome users are not affected by CVE-2026-11641.
What happens if my Chrome crashes—could that be the vulnerability being exploited?
A Chrome crash could indicate an unsuccessful exploitation attempt, but it could also result from many other causes. Crashes alone are not a reliable indicator of compromise. Focus on keeping Chrome updated to version 149.0.7827.103 or later, which closes the vulnerability entirely.
Does this vulnerability give attackers access to my entire computer, or just Chrome?
Exploitation results in arbitrary code execution within the Chrome browser process. The attacker gains full access to data in that process (browsing history, cached credentials, etc.) and can potentially use Chrome as a stepping stone for further attacks. However, exploitation is sandboxed by default in modern Chrome; full system compromise would require additional vulnerabilities or misconfigurations.
This analysis is based on publicly available information as of the publication date. Attackers and defenders evolve tactics continuously; organizations should verify patch availability and compatibility in their own environment before deployment. SEC.co recommends treating this as an urgent priority given the HIGH CVSS score and Chromium Critical rating. No working public exploits were assumed in this analysis; organizations should remain vigilant for proof-of-concept releases and adapt detection strategies accordingly. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10000HIGHChrome Sandbox Escape via Use-After-Free in Password Handling
- CVE-2026-10001HIGHChrome Sandbox Escape via PerformanceManager Use-After-Free
- CVE-2026-10002HIGHGoogle Chrome PDFium Use-After-Free Vulnerability (CVSS 8.8)
- CVE-2026-10003HIGHChrome Use-After-Free Code Execution Vulnerability Analysis
- CVE-2026-10007HIGHChrome Use-After-Free in SVG Arbitrary Code Execution (CVSS 8.8)
- CVE-2026-10012HIGHChrome Skia Use-After-Free Sandbox Escape (v148.0.7778.216)
- CVE-2026-10013HIGHUse-After-Free in Chrome WebCodecs – Patch Guide & Risk Assessment
- CVE-2026-10016HIGHUse-After-Free in Chrome DOM – Sandbox Code Execution Vulnerability