HIGH 8.8

CVE-2026-11664: Critical Use-After-Free in Chrome Payments—Patch Now

A use-after-free vulnerability exists in Google Chrome's Payments component that could allow an attacker to corrupt browser memory and potentially execute arbitrary code. An attacker would need to trick a user into visiting a malicious website to trigger the flaw. The issue affects Chrome versions prior to 149.0.7827.103 and is considered high-severity by Google's security team.

Source data · NVD / CISA · public domain

CVSS
3.1 · 8.8 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-416
Affected products
4 configuration(s)
Published / Modified
2026-06-09 / 2026-06-17

NVD description (verbatim)

Use after free in Payments in Google Chrome prior to 149.0.7827.103 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-11664 is a use-after-free vulnerability (CWE-416) in the Payments subsystem of Chromium-based browsers. Use-after-free flaws occur when software attempts to access memory that has already been freed, potentially allowing an attacker to read, write, or execute code at that memory location. In this case, a specially crafted HTML page can trigger the vulnerability, leading to heap corruption. The attack requires user interaction—specifically, visiting the malicious page—and does not require authentication or special privileges on the target system.

Business impact

Organizations relying on Chrome as a standard browser face potential compromise of user sessions, data theft, and malware infection. A successful exploit could give attackers access to sensitive information handled within the browser, including credentials, payment data, and browsing history. Teams should expect increased support requests as users encounter unstable browser behavior or encounter exploit attempts. For organizations managing Chrome at scale, this represents a mandatory patching priority to prevent targeted attacks against high-value users.

Affected systems

Google Chrome versions prior to 149.0.7827.103 are affected. Because Chromium is the basis for multiple browsers and operating systems, the vulnerability's impact extends across Windows, macOS, and Linux environments where Chrome is deployed. Users of Chromium-based browsers and embedded Chromium components should verify their specific product versions against vendor advisories.

Exploitability

The vulnerability is readily exploitable in real-world scenarios. It requires only a network vector (AV:N) with low attack complexity (AC:L), meaning no special network conditions or exploitation techniques are needed. Critically, no authentication or elevated privileges are required (PR:N), and the attack succeeds with standard user interaction (UI:R)—simply visiting a malicious webpage. The attack does not require tricking the user into unusual actions beyond normal browsing. Given these factors, exploitation is practical and likely to be attempted by threat actors.

Remediation

Update Google Chrome to version 149.0.7827.103 or later immediately. Users should enable automatic updates if not already configured, as Chrome typically applies security patches automatically. Organizations managing Chrome deployments should verify update completion across their user base and consider temporary browser restrictions on high-risk users until patching is confirmed. For users unable to patch immediately, minimize exposure by avoiding untrusted websites and disabling JavaScript in high-risk contexts if operationally feasible.

Patch guidance

Google has released Chrome 149.0.7827.103 as the fix version. Verify this version number in your environment by checking About Chrome, which will display the current version and automatically check for updates. For enterprise deployments, use your mobile device management (MDM) or group policy tools to enforce the patched version. Monitor Chrome's release notes and security bulletins for any subsequent patch versions addressing related issues. Test the update in a limited environment before broad deployment to ensure compatibility with critical web-based applications.

Detection guidance

Monitor Chrome crash reports and browser stability logs for patterns of use-after-free crashes, which often appear as memory protection violations or heap corruption errors. Network detection is challenging for this vulnerability since it requires a user to visit a malicious page; focus instead on behavioral signals such as unexpected JavaScript execution, abnormal memory usage spikes in the browser process, or visits to known malicious domains. Endpoint detection and response (EDR) tools should flag suspicious memory access patterns within browser processes. User reports of browser crashes after visiting certain websites should be treated as potential exploitation attempts.

Why prioritize this

This vulnerability merits immediate attention due to its high CVSS score (8.8), low attack complexity, lack of authentication requirements, and high impact across confidentiality, integrity, and availability. The Payments component's sensitivity—often handling financial and personal information—amplifies the risk. Wide deployment of Chrome across enterprises and the practical exploitability make this a high-priority patch. The absence of KEV listing does not diminish urgency; organizations should not wait for widespread public exploitation before patching.

Risk score, explained

The CVSS 3.1 score of 8.8 (HIGH) reflects the vulnerability's critical characteristics: network-based attack vector with low complexity, no authentication barrier, user interaction requirement only for initial compromise, and high impact on confidentiality (data disclosure), integrity (code execution), and availability (denial of service through crashes). The use-after-free nature enables memory corruption that can lead to arbitrary code execution, the most severe outcome. The scope is unchanged, meaning impact is limited to the vulnerable component, but the combination of factors—particularly the practical exploitability and sensitive Payments context—justifies the high severity rating.

Frequently asked questions

Do I need to be a technical user to be exploited by this vulnerability?

No. The attack only requires you to visit a malicious webpage while using an affected version of Chrome. There are no special technical steps required on your part. Simply clicking a link or visiting a compromised website could trigger the vulnerability.

Will my data be stolen if someone exploits this on my computer?

Potentially, yes. A successful exploit could allow an attacker to read data in memory, including passwords, payment information, and browsing history. However, exploitation success depends on triggering the vulnerability reliably, and not all exploitation attempts succeed. Updating to the patched version eliminates this risk.

If I use a different browser, am I safe from this vulnerability?

This vulnerability is specific to Chrome and Chromium-based browsers (such as Microsoft Edge, Brave, and Opera if built on Chromium). Other browsers like Firefox and Safari have their own security updates and vulnerabilities. Always keep all your software updated regardless of which browser you use.

Is there a temporary workaround if I cannot update Chrome immediately?

While not ideal, you can reduce risk by avoiding untrusted websites, disabling JavaScript in your browser settings (though this breaks many legitimate sites), and using a different browser temporarily for critical tasks. However, the only complete mitigation is to update to Chrome 149.0.7827.103 or later as soon as possible.

This analysis is based on vulnerability disclosures and vendor information available as of the publication date. Organizations must verify patch applicability against their specific software versions and configurations. Testing in non-production environments is recommended before deploying patches at scale. This vulnerability may be updated as additional information becomes available; readers should monitor official vendor advisories and security bulletins for the latest guidance. SEC.co does not provide real-time threat intelligence or exploit code distribution. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).