CVE-2026-11644: Critical Use-After-Free in Google Chrome Views on Linux
A use-after-free vulnerability exists in Google Chrome's Views component on Linux systems. An attacker could exploit this by tricking a user into installing a malicious Chrome extension, which could then execute arbitrary code with the privileges of the Chrome process. This represents a critical-severity issue from Chromium's perspective, though the CVSS score reflects the requirement for user interaction (extension installation) as a limiting factor.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.5 HIGH · CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-416
- Affected products
- 2 configuration(s)
- Published / Modified
- 2026-06-09 / 2026-06-17
NVD description (verbatim)
Use after free in Views in Google Chrome on Linux prior to 149.0.7827.103 allowed an attacker who convinced a user to install a malicious extension to execute arbitrary code via a crafted Chrome Extension. (Chromium security severity: Critical)
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-11644 is a use-after-free memory corruption vulnerability (CWE-416) in Google Chrome's Views subsystem on Linux platforms. The vulnerability allows code execution when a crafted malicious extension is loaded into an affected Chrome instance. The attack requires convincing a user to install the extension, which serves as the initial infection vector. The Views component handles UI rendering and event processing in Chromium, making memory safety critical in this context. Use-after-free flaws in rendering engines can lead to complete system compromise when combined with modern exploitation techniques.
Business impact
Compromise of Chrome on Linux systems poses significant risk to organizations whose workforce relies on Chrome for web access or development work. An attacker leveraging this vulnerability could steal credentials, intercept sensitive communications, install persistent malware, or pivot laterally within corporate networks. Linux users—including developers, sysadmins, and DevOps professionals—are particularly valuable targets. The requirement for extension installation raises the bar for mass exploitation but remains feasible through social engineering, supply-chain compromise, or deceptive distribution methods. Organizations should prioritize patching in high-risk user segments.
Affected systems
Google Chrome versions prior to 149.0.7827.103 on Linux are affected. The vulnerability is specific to the Linux implementation of Chrome's Views component and does not affect Chrome on Windows or macOS (based on the CVE description scope). Any Chrome installation on Linux systems below the patched version remains vulnerable to users who install untrusted extensions.
Exploitability
While the CVSS vector indicates high impact (confidentiality, integrity, and availability all compromised), exploitation requires user interaction: the target must be convinced to install a malicious Chrome extension. This is not a network-only or client-side exploit that works without action. However, the bar for social engineering should not be underestimated; attackers regularly disguise malicious extensions as productivity tools, security utilities, or legitimate services. The vulnerability is not currently listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, suggesting active in-the-wild exploitation has not yet been widely documented, but the critical Chromium severity rating indicates Google assessed it as dangerous.
Remediation
Update Google Chrome to version 149.0.7827.103 or later on all Linux systems. Organizations should enforce automatic Chrome updates where possible and audit installed extensions to identify and remove any suspicious or unnecessary ones. Implement Chrome policies to restrict extension installation to a curated allowlist of approved extensions, reducing the surface for social engineering attacks. Consider using Chrome Enterprise for centralized management and security policy enforcement.
Patch guidance
Deploy Chrome version 149.0.7827.103 or later across Linux systems. Most Chrome installations update automatically; verify completion by navigating to chrome://version and confirming the version number matches or exceeds the patched release. For enterprise environments, use Chrome Enterprise or administrator tools to manage rollout and monitor update compliance. Test patched versions in a non-production environment first to ensure compatibility with critical business extensions and workflows.
Detection guidance
Monitor Chrome extension installations via Chrome management policies or endpoint detection and response (EDR) tools. Look for suspicious extensions with unusual permissions (especially access to all sites, file system, or tabs). Inspect browser process memory dumps or crash logs for evidence of use-after-free exploitation (segmentation faults, heap corruption). On Linux, monitor /proc/[pid]/maps and memory access patterns for anomalous Views component behavior. Network-based detection is limited since the payload executes locally within Chrome; focus on post-exploitation artifacts such as lateral movement, credential access, or data exfiltration.
Why prioritize this
This vulnerability warrants immediate patching despite the CVSS score of 7.5 and lack of current KEV status. The reason: Chromium marked it Critical, it affects core rendering infrastructure, and it enables arbitrary code execution. The user-interaction requirement does not diminish urgency; extension-based attacks are proven, scalable, and regularly exploited in the wild. Linux users often include high-value targets (developers, system administrators, security researchers). Prioritize patching for staff with elevated access, sensitive roles, or high-risk browsing habits.
Risk score, explained
The CVSS 3.1 score of 7.5 (HIGH) reflects a network vector with high complexity and required user interaction, balanced against high impact across confidentiality, integrity, and availability. The score may appear conservative relative to Chromium's Critical rating, which emphasizes the severity of the underlying flaw and the potential for weaponization. The discrepancy arises because CVSS penalizes user interaction, while Chromium's severity classifies the vulnerability itself. For prioritization purposes, align with Chromium's Critical assessment rather than relying solely on the CVSS number.
Frequently asked questions
Why does the Chromium severity (Critical) differ from the CVSS score (7.5 HIGH)?
Chromium's severity rating focuses on the technical severity of the vulnerability itself, while CVSS 3.1 applies a scoring matrix that factors in attack complexity and user interaction. Because this vulnerability requires a user to install a malicious extension, CVSS reduces the score. However, social engineering to trick users into installing extensions is well-established and routinely successful, making the real-world risk closer to Critical than the CVSS number suggests.
Is this vulnerability actively being exploited?
The vulnerability is not currently listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, which suggests that widespread, documented exploitation in the wild has not yet occurred. However, the absence of KEV status does not guarantee safety; opportunistic or targeted attacks may still be underway, especially against high-value individuals or organizations.
Does this affect Chrome on Windows or macOS?
No. The CVE description explicitly states the vulnerability is in Google Chrome on Linux prior to 149.0.7827.103. The Views component may exist on other platforms, but this particular use-after-free flaw appears to be Linux-specific based on the CVE scope.
How can an organization block malicious extension installations?
Chrome Enterprise and standard Chrome allow administrators to restrict extensions to an allowlist via group policy (on Windows domains) or configuration management systems. Set the ExtensionInstallAllowlist policy to approve only necessary extensions, and configure ExtensionInstallBlocklist to explicitly deny known malicious extensions. Monitor installation logs and use EDR tools to detect unauthorized extensions in real time.
This analysis is based on the CVE record and vendor-provided information as of the publication date. Patch version numbers and affected product details must be verified against the official Google Chrome security advisory and release notes. Organizations should conduct internal testing before deploying patches to ensure compatibility with critical extensions and workflows. This explainer does not constitute professional security advice and should be supplemented with guidance from your security vendor or internal security team. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10001HIGHChrome Sandbox Escape via PerformanceManager Use-After-Free
- CVE-2026-10002HIGHGoogle Chrome PDFium Use-After-Free Vulnerability (CVSS 8.8)
- CVE-2026-10003HIGHChrome Use-After-Free Code Execution Vulnerability Analysis
- CVE-2026-10007HIGHChrome Use-After-Free in SVG Arbitrary Code Execution (CVSS 8.8)
- CVE-2026-10012HIGHChrome Skia Use-After-Free Sandbox Escape (v148.0.7778.216)
- CVE-2026-10013HIGHUse-After-Free in Chrome WebCodecs – Patch Guide & Risk Assessment
- CVE-2026-10016HIGHUse-After-Free in Chrome DOM – Sandbox Code Execution Vulnerability
- CVE-2026-10882HIGHCritical Chrome Use-After-Free RCE Vulnerability – Exploit Details & Patch Guidance