HIGH 8.1

CVE-2026-11643: Chrome Proxy Use-After-Free Code Execution Vulnerability

A use-after-free vulnerability exists in Google Chrome's Proxy component that could allow attackers to execute arbitrary code on victim machines through specially crafted network traffic. The flaw affects Chrome versions prior to 149.0.7827.103 and has been rated as Critical by the Chromium security team. While no active exploitation has been confirmed in the wild, the vulnerability's remote nature and code execution potential make it a significant threat requiring prompt patching.

Source data · NVD / CISA · public domain

CVSS
3.1 · 8.1 HIGH · CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-416
Affected products
4 configuration(s)
Published / Modified
2026-06-09 / 2026-06-17

NVD description (verbatim)

Use after free in Proxy in Google Chrome prior to 149.0.7827.103 allowed a remote attacker to execute arbitrary code via malicious network traffic. (Chromium security severity: Critical)

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-11643 is a use-after-free memory safety vulnerability (CWE-416) residing in Chrome's Proxy subsystem. The defect allows a remote, unauthenticated attacker to corrupt memory state via malicious network traffic, potentially leading to code execution without user interaction or elevated privileges. The CVSS v3.1 score of 8.1 reflects the high impact (confidentiality, integrity, availability) and network-based attack vector, though the attack complexity is rated as high, indicating some constraint on practical exploitation.

Business impact

Successful exploitation could compromise user systems and data, enabling attackers to steal credentials, install malware, or pivot into corporate networks. For organizations relying on Chrome as a primary browser—especially in hybrid or remote work environments—this vulnerability poses a material risk to endpoint security posture. The lack of user interaction required for exploitation increases urgency relative to vulnerabilities requiring social engineering.

Affected systems

The vulnerability impacts Google Chrome installations on Windows, macOS, and Linux systems running versions before 149.0.7827.103. Because Chrome auto-updates by default on most platforms, exposure is typically time-limited; however, organizations with delayed or disabled auto-updates face extended risk windows. The vulnerability is specific to Chrome and does not directly affect the underlying operating systems themselves.

Exploitability

The attack requires network-level access to send malicious traffic to a Chrome instance, but does not require user interaction, authentication, or user clicks. Attack complexity is rated as high, suggesting successful exploitation depends on specific conditions such as precise memory state, Chrome version specifics, or network positioning. No public exploit code or proof-of-concept has been confirmed as of the publication and modification dates. The absence of a CISA KEV listing indicates no evidence of active, weaponized exploitation in the threat landscape at this time.

Remediation

Update Google Chrome to version 149.0.7827.103 or later on all affected systems. Chrome's built-in auto-update mechanism will deliver patches automatically on most configurations; verify completion by checking Settings > About Google Chrome. For managed environments, deploy updates via your browser management policy or endpoint management platform. Test patching in non-production environments first if your organization has custom extensions or enterprise configurations.

Patch guidance

Google Chrome patches are typically rolled out incrementally across the user base over several days. Administrators should verify update status by checking the browser version in chrome://settings/help or using your device management console. If auto-update is disabled, manually trigger updates or enable automatic updates in Chrome settings. For enterprise Chrome deployments, reference your organization's Chrome release schedule and ensure patch testing does not delay deployment beyond 30 days of the patch release. Validate that no critical extensions are broken by the update before full rollout.

Detection guidance

Monitor for Chrome instances running versions below 149.0.7827.103 using endpoint detection and response (EDR) tools, software inventory systems, or browser telemetry platforms. Network-level detection is challenging because exploitation traffic is encrypted (HTTPS) and difficult to distinguish from legitimate network activity without behavioral indicators. Focus detection efforts on post-exploitation artifacts: unexpected child processes spawned from chrome.exe, unusual network outbound connections from Chrome, or memory corruption crash logs. Consider collecting crash reports from Chrome installations to identify failed exploitation attempts.

Why prioritize this

Despite the absence of active exploitation (no KEV listing), the combination of Critical severity from Chromium, remote attack capability, lack of user interaction, and broad deployment of Chrome across enterprise endpoints warrants high prioritization. The vulnerability is in a core browser component (Proxy handling) that processes all HTTP/HTTPS traffic, maximizing exposure. Organizations should prioritize patching within 30 days and consider interim mitigations such as network segmentation or VPN enforcement if rapid patching is infeasible.

Risk score, explained

The CVSS v3.1 score of 8.1 (HIGH) reflects a severe but not critical baseline risk. The score is driven by remote network access, no privilege or user interaction required, and full compromise of confidentiality, integrity, and availability. The high attack complexity moderates the score from a critical rating, but this should not be misinterpreted as low exploitability in practice—it reflects that successful exploitation requires specific technical conditions rather than trivial attack steps. The absence of mitigation controls (no MFA bypass, no privilege escalation required) and broad target population elevates real-world risk relative to the numerical score.

Frequently asked questions

Do I need to manually update Chrome, or does it update automatically?

Chrome auto-updates on most systems by default. To verify your version and trigger an immediate update, open Chrome and navigate to Settings > About Google Chrome. The browser will check for updates automatically; if an update is available, it will download and prompt you to restart. On managed enterprise deployments, check with your IT department or device management console to confirm your update policy.

Is this vulnerability being actively exploited?

As of the publication date (June 9, 2026), this vulnerability does not appear on CISA's Known Exploited Vulnerabilities (KEV) list, indicating no confirmed active exploitation in the wild. However, the absence of public exploitation does not mean the vulnerability is safe to ignore—attackers may discover and weaponize it after public disclosure. Patching should not be delayed pending exploitation reports.

Can I be infected just by visiting a website, or do I need to download something?

Exploitation requires malicious network traffic sent directly to your browser's Proxy component. Simply visiting a website is unlikely to trigger exploitation unless the website is compromised and serving specialized malicious traffic. However, the vulnerability's network-level nature and the commonality of proxy-based attacks suggest attackers may target organizations using proxy appliances or compromised network infrastructure. Defense-in-depth measures such as network segmentation and threat detection remain important even after patching.

Why does my organization's patch management tool show this as 'Critical' when CVSS says 'HIGH'?

Chromium's internal severity rating is 'Critical,' while the CVSS v3.1 numeric score of 8.1 corresponds to the 'HIGH' severity band (7.0–8.9). Organizations often weight severity labels differently: some prioritize CVSS scores, others rely on vendor severity ratings. For Chrome, Chromium's 'Critical' designation typically justifies urgent patching regardless of CVSS numeric boundaries. Align your patch policy with the most stringent assessment: treat this as Critical.

This analysis is provided for informational purposes and based on data available as of June 2026. Patch version numbers, affected product lists, and severity ratings reflect the source advisory; verify against official Google Chrome Security releases and your vendor documentation before deployment. No exploit code, weaponized proof-of-concept, or attack reconstruction is provided. Organizations should conduct their own risk assessments in the context of their specific environments, threat models, and patch cadences. This document does not constitute legal or compliance advice. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).