CVE-2026-11657: Chrome Payments Use-After-Free RCE on macOS
Google Chrome on macOS contains a use-after-free memory flaw in its Payments feature that allows an attacker to run malicious code on a user's machine. The vulnerability is triggered when a user visits a specially crafted website, making it relatively easy to exploit in the wild. Chrome versions before 149.0.7827.103 on macOS are affected. This is a remote code execution risk that requires user interaction (clicking a link or visiting a site) but no special privileges.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.8 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-416
- Affected products
- 2 configuration(s)
- Published / Modified
- 2026-06-09 / 2026-06-17
NVD description (verbatim)
Use after free in Payments in Google Chrome on Mac prior to 149.0.7827.103 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: High)
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-11657 is a use-after-free vulnerability (CWE-416) in the Payments processing component of Google Chrome on macOS. The flaw occurs when the Payments subsystem attempts to access memory that has already been freed, allowing an attacker to corrupt heap state and achieve arbitrary code execution. The vulnerability has a CVSS 3.1 score of 8.8 (High) with a network attack vector, low complexity, and no privilege requirement. User interaction is mandatory—the victim must visit or interact with a malicious webpage. The flaw is marked as Chromium security severity: High and affects all Chrome versions prior to 149.0.7827.103 on macOS systems.
Business impact
Remote code execution via malicious web pages poses a direct threat to macOS users relying on Chrome for business activities. An attacker gaining code execution can steal credentials, access corporate data, install persistence mechanisms, or pivot to other systems on the network. Organizations with significant macOS user bases should treat this as a critical update priority, especially for users handling sensitive transactions or accessing internal web applications. The requirement for user interaction somewhat limits mass-attack feasibility, but targeted spear-phishing campaigns using crafted HTML pages remain a practical threat.
Affected systems
Google Chrome on Apple macOS versions prior to 149.0.7827.103 are vulnerable. The vulnerability is specific to the macOS port of Chrome and does not affect Chrome on Windows, Linux, Android, or other platforms (though similar Payments vulnerabilities may exist in other versions). Any macOS device running an unpatched Chrome browser is at risk if users visit attacker-controlled or compromised websites.
Exploitability
This vulnerability carries moderate-to-high exploitability risk. While it requires user interaction (visiting a malicious page), the attack complexity is low and no special privileges are needed. The use-after-free bug in a core subsystem like Payments is amenable to reliable exploitation through heap grooming techniques. The fact that it remained unpatched until version 149.0.7827.103 and was assigned Chromium High severity suggests that exploitation proof-of-concept development is likely. This is not yet listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, but the low barrier to user interaction and high technical severity make it a realistic target for threat actors.
Remediation
Users must update Google Chrome to version 149.0.7827.103 or later on macOS. Enable Chrome's automatic update feature to ensure the patch is deployed without delay. Organizations should verify the update status of all Chrome installations on macOS endpoints and confirm successful patching through endpoint management tools. In the interim, users should avoid clicking on suspicious links and be cautious when visiting untrusted websites. Consider blocking or restricting access to high-risk sites if feasible.
Patch guidance
Update Google Chrome on macOS to version 149.0.7827.103 or later. Chrome typically delivers security patches automatically, but verify that your installation reflects the patched version by navigating to Chrome menu > About Google Chrome, which will force a check for updates. Enterprise deployments should validate patch deployment through their mobile device management (MDM) or endpoint management platform. The patch addresses the use-after-free condition in the Payments subsystem. No workarounds exist; patching is the only remediation.
Detection guidance
Monitor for Chrome crashes or unexpected terminations on macOS systems, particularly when users visit unfamiliar or untrusted websites—heap corruption may cause observable crashes. Review browser extension or plugin logs for unauthorized installs post-compromise. Check endpoint telemetry for indicators of code execution following web activity (new process spawning, file system modifications, outbound connections). Network detection should flag anomalous traffic from macOS Chrome processes, especially to known malware distribution or command-and-control infrastructure. Maintain current vulnerability scanning tools that can identify unpatched Chrome versions.
Why prioritize this
This vulnerability merits immediate patching due to its CVSS score of 8.8 (High), remote code execution capability, and low attack complexity. Although user interaction is required, the bar for triggering exploitation is low—a phishing email with a link or an ad-compromised website suffices. Organizations with macOS-heavy populations or users accessing web-based business applications should prioritize this update urgently. The combination of high severity and Chromium's status as a ubiquitous browser elevates risk relative to vulnerabilities in less-common software.
Risk score, explained
The CVSS 3.1 score of 8.8 reflects a High severity vulnerability with the following factors: Network attack vector (AV:N) permits remote exploitation; low attack complexity (AC:L) means no special conditions are needed; no privilege escalation required (PR:N); user interaction is mandatory (UI:R), which slightly reduces the score but remains a practical constraint; and the impact is complete—confidentiality, integrity, and availability are all fully compromised (C:H/I:H/A:H) once code execution is achieved. The score does not account for deployment challenges, detectability, or real-world threat actor interest; those factors are addressed separately in prioritization.
Frequently asked questions
Is my Windows or Linux Chrome installation affected?
No. This vulnerability is specific to Google Chrome on macOS. Windows, Linux, Android, and other platforms are not affected by CVE-2026-11657, though they may have their own separate browser vulnerabilities requiring attention.
Do I need to do anything if automatic updates are enabled?
Chrome typically auto-updates in the background, but you should verify you are running version 149.0.7827.103 or later. Go to Chrome menu > About Google Chrome to check your version and force an update check if needed. Enterprise users should confirm deployment through their MDM solution.
What happens if I visit a malicious page before patching?
Visiting a malicious page does not guarantee exploitation. The attacker must craft the HTML carefully to trigger the use-after-free. However, if you suspect you visited a compromised site, patch immediately, consider changing passwords from another device, and monitor for unusual account activity. Organizations may wish to treat unpatched users as potentially compromised until forensic review can be completed.
Why does this vulnerability require user interaction?
The Payments feature in Chrome must be triggered or used by the user to access the vulnerable code path. This means the attacker must lure the user to a malicious website (via phishing, watering hole, ad injection, etc.). Remote unauthenticated exploitation without user action is not possible, but this remains a low bar for attackers in practice.
This analysis is provided for informational purposes and reflects vulnerability data as of the modification date (2026-06-17). Organizations should verify all technical details, patch versions, and compatibility with their specific environments against official vendor advisories from Google and Apple before deploying updates. No exploit code or weaponization guidance is provided. The absence of a vulnerability from CISA's Known Exploited Vulnerabilities catalog does not indicate low risk; exploit development and deployment may occur at any time. Always maintain a current backup and test patches in a non-production environment before broad deployment. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10001HIGHChrome Sandbox Escape via PerformanceManager Use-After-Free
- CVE-2026-10002HIGHGoogle Chrome PDFium Use-After-Free Vulnerability (CVSS 8.8)
- CVE-2026-10003HIGHChrome Use-After-Free Code Execution Vulnerability Analysis
- CVE-2026-10005HIGHChrome macOS Use-After-Free RCE Vulnerability (7.5 CVSS)
- CVE-2026-10007HIGHChrome Use-After-Free in SVG Arbitrary Code Execution (CVSS 8.8)
- CVE-2026-10012HIGHChrome Skia Use-After-Free Sandbox Escape (v148.0.7778.216)
- CVE-2026-10013HIGHUse-After-Free in Chrome WebCodecs – Patch Guide & Risk Assessment
- CVE-2026-10016HIGHUse-After-Free in Chrome DOM – Sandbox Code Execution Vulnerability