CVE-2026-11648: Chrome Use-After-Free in FullScreen on Windows
A use-after-free memory flaw exists in Google Chrome's full-screen functionality on Windows. An attacker can craft a malicious web page that, when visited, exploits this flaw to corrupt the browser's memory heap. This could allow the attacker to execute arbitrary code on the victim's machine with the same privileges as the user running Chrome. The vulnerability requires user interaction (clicking or navigating to the malicious page) but no special privileges or complex setup.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.8 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-416
- Affected products
- 2 configuration(s)
- Published / Modified
- 2026-06-09 / 2026-06-17
NVD description (verbatim)
Use after free in FullScreen in Google Chrome on Windows prior to 149.0.7827.103 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-11648 is a use-after-free vulnerability (CWE-416) in the FullScreen implementation within Google Chrome on Windows. The flaw allows a remote attacker to trigger heap corruption through a specially crafted HTML page. The vulnerability exists in Chrome versions prior to 149.0.7827.103. The attack vector is network-based with low complexity; the only user interaction required is visiting or interacting with a malicious webpage. Successful exploitation could lead to arbitrary code execution in the context of the browser process.
Business impact
For organizations, this vulnerability poses a significant risk to any user running vulnerable Chrome versions on Windows workstations. Compromise of a user's browser process could allow attackers to steal credentials, session tokens, and sensitive data accessed through the browser, or to pivot to lateral movement within the network. The low barrier to exploitation—requiring only that a user visit a malicious site—makes this a practical threat in targeted attacks or widespread watering-hole campaigns. Organizations relying on Chrome as their primary browser should treat this as a priority patching issue.
Affected systems
Google Chrome on Microsoft Windows systems running versions prior to 149.0.7827.103 are affected. This includes all minor versions and patches before the specified build number. Chrome on other platforms (macOS, Linux, Android) and Windows systems already updated to 149.0.7827.103 or later are not vulnerable. Note that Chrome's auto-update mechanism typically deploys patches automatically, so the actual attack surface depends on how quickly users or organizations deploy updates.
Exploitability
This vulnerability has a CVSS 3.1 score of 8.8 (High), reflecting high impact and moderate exploitability barriers. The attack requires network access and user interaction but no authentication or special privileges. The attacker must craft a specific HTML payload and entice a user to visit it; however, the exploitation complexity is low once the payload is delivered. The vulnerability is not currently listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, meaning active exploitation in the wild has not been confirmed at time of publication, though this should not be interpreted as indicating the vulnerability is difficult to exploit.
Remediation
The primary remediation is to update Google Chrome to version 149.0.7827.103 or later. Chrome's automatic update feature will push this patch to most users, but verification is recommended, especially in managed environments. Users should check their Chrome version by navigating to chrome://settings/help, which will display the installed version and trigger an update check if needed. In enterprise settings, administrators should verify patch deployment through their mobile device management (MDM) or patch management systems.
Patch guidance
Update Chrome to version 149.0.7827.103 or later. For individual users: Chrome typically auto-updates in the background, but manual verification can be done via chrome://settings/help. For enterprise administrators: deploy this update through your standard patch management processes or verify auto-update settings in Chrome enterprise policies. Given the high CVSS score and low complexity of exploitation, this patch should be prioritized and deployed broadly within 2-4 weeks. Test in a representative sample of systems before full rollout only if your organization has specific compatibility concerns; the patch addresses a memory corruption flaw and is unlikely to cause regression issues.
Detection guidance
Detecting exploitation of this vulnerability is challenging because the attack occurs entirely within the browser memory space. Traditional network detection may identify malicious HTML pages if they are known, but the real-time detection of heap corruption is not practical at the network layer. Focus detection efforts on: (1) monitoring for abnormal Chrome child process behavior (e.g., unexpected code execution or system calls); (2) identifying visits to known malicious domains using web proxy logs or DNS query logs; (3) monitoring for crashes or unusual memory access patterns in Chrome logs if available. Endpoint Detection and Response (EDR) tools should alert on suspicious activity following Chrome process execution. The most practical approach is to ensure timely patching rather than relying on detection.
Why prioritize this
This vulnerability should be prioritized based on multiple factors: (1) High CVSS score (8.8) indicating significant impact; (2) low attack complexity and no authentication requirement, making it practical to exploit at scale; (3) broad affected population (any Windows user running Chrome <149.0.7827.103); (4) potential for code execution with browser-level privileges, enabling credential theft or lateral movement; (5) availability of a patch that is simple to deploy via auto-update. Although not yet in the KEV catalog, the vulnerability's characteristics suggest it could become a target for opportunistic or targeted attackers. Organizations should treat this as a high-priority patch within the normal 2-4 week patch window.
Risk score, explained
The CVSS 3.1 score of 8.8 (High) reflects: attack vector of network (AV:N) with no authentication required (PR:N), low attack complexity (AC:L), and user interaction required (UI:R). The impact ratings are high across confidentiality (C:H), integrity (I:H), and availability (A:H), reflecting the potential for arbitrary code execution and full compromise of the browser process. The scope is unchanged (S:U), meaning impact is limited to the vulnerable component and the user's browser session. The score appropriately captures a serious but not critical vulnerability requiring user action to trigger.
Frequently asked questions
Will my Chrome browser auto-update to fix this vulnerability?
Yes, Chrome's default configuration includes automatic updates that will deploy version 149.0.7827.103 or later to most users. However, auto-update may be delayed by a few days or weeks depending on your system. You can manually check and update immediately by going to chrome://settings/help, which will also display your current version.
Is this vulnerability actively being exploited in the wild?
As of the vulnerability's publication date, CVE-2026-11648 is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, indicating that active exploitation has not been confirmed. However, this does not mean the vulnerability is difficult to exploit; the KEV status reflects observed attacks, not exploit difficulty. Given the low complexity and high impact, organizations should not delay patching while waiting for confirmation of active exploitation.
What should I do if I'm running Chrome on Windows and can't update immediately?
Until you can update, limit your browsing to trusted sites, disable JavaScript execution for untrusted content if possible (via extensions), and consider using a secondary browser for any risky browsing. In enterprise settings, administrators may implement network policies to restrict visits to known malicious domains. However, these are stopgaps; prioritize deployment of the patch as soon as feasible.
Does this vulnerability affect Chrome on macOS or Linux?
No. This vulnerability is specific to Chrome on Windows and affects the FullScreen implementation in that context. Chrome on macOS, Linux, and other platforms is not vulnerable. Mobile Chrome (Android) is also unaffected.
This analysis is based on the vulnerability data published on 2026-06-09 and modified on 2026-06-17. Patch version numbers, CVSS scores, and affected product versions reflect the official vendor advisory and public records. Readers should verify the applicability of patches and guidance against their specific system configurations and the latest vendor updates. SEC.co does not provide warranties regarding the accuracy or completeness of this intelligence, and recommends independent verification before implementing remediation measures in production environments. Exploit code or detailed attack techniques are not provided; readers seeking such information should consult authorized security research resources or vendors directly. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10000HIGHChrome Sandbox Escape via Use-After-Free in Password Handling
- CVE-2026-10001HIGHChrome Sandbox Escape via PerformanceManager Use-After-Free
- CVE-2026-10002HIGHGoogle Chrome PDFium Use-After-Free Vulnerability (CVSS 8.8)
- CVE-2026-10003HIGHChrome Use-After-Free Code Execution Vulnerability Analysis
- CVE-2026-10007HIGHChrome Use-After-Free in SVG Arbitrary Code Execution (CVSS 8.8)
- CVE-2026-10012HIGHChrome Skia Use-After-Free Sandbox Escape (v148.0.7778.216)
- CVE-2026-10013HIGHUse-After-Free in Chrome WebCodecs – Patch Guide & Risk Assessment
- CVE-2026-10016HIGHUse-After-Free in Chrome DOM – Sandbox Code Execution Vulnerability