CVE-2026-11667: Chrome WebRTC Out-of-Bounds Read Vulnerability – CVSS 7.5 High
Google Chrome versions prior to 149.0.7827.103 contain an out-of-bounds read vulnerability in WebRTC processing that could allow an attacker with prior access to the GPU process to corrupt heap memory and potentially execute code. The attack requires user interaction (clicking a malicious link or visiting a crafted webpage) but could lead to serious data theft or system compromise.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.5 HIGH · CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-125
- Affected products
- 4 configuration(s)
- Published / Modified
- 2026-06-09 / 2026-06-17
NVD description (verbatim)
Out of bounds read in WebRTC in Google Chrome prior to 149.0.7827.103 allowed a remote attacker who had compromised the GPU process to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-11667 is an out-of-bounds read (CWE-125) in Chrome's WebRTC implementation affecting memory-mapped GPU process regions. The vulnerability manifests when the GPU process parses specially crafted HTML, triggering a read beyond allocated buffer boundaries. This out-of-bounds access can corrupt the heap state, creating conditions for privilege escalation or information disclosure. The attack surface is bounded by the GPU process sandbox, but compromising the GPU process itself is sufficient to trigger exploitation. The CVSS 3.1 vector (AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H) reflects network accessibility, high attack complexity due to sandbox constraints and user interaction requirements, and high confidentiality/integrity/availability impact.
Business impact
If exploited, an attacker could read or modify sensitive data within the GPU process memory space—including graphics buffers, cached credentials, or encryption keys—or trigger a denial-of-service crash. For organizations using Chrome on sensitive workstations, this widens the attack surface for data exfiltration when combined with social engineering. The requirement for GPU process compromise means this is not a trivial remote code execution, but it remains a meaningful escalation risk in targeted campaigns.
Affected systems
Google Chrome prior to version 149.0.7827.103 on Windows, macOS, and Linux systems is affected. The vulnerability is present across all major operating system platforms where Chrome runs. Systems using older or unpatched Chrome releases face exposure; enterprise deployments with auto-update enabled are at lower immediate risk, while those with update deferrals remain vulnerable.
Exploitability
Exploitation requires a remote attacker to first compromise the GPU process (a sandboxed component), then serve a crafted HTML page to a user who clicks or visits it. The attack is not trivial—it demands both prior sandbox compromise and user interaction—placing it in the 'targeted' rather than 'opportunistic' category. The vulnerability is not currently listed on CISA's Known Exploited Vulnerabilities (KEV) catalog, indicating no active in-the-wild exploitation has been formally documented at this time.
Remediation
Update Google Chrome to version 149.0.7827.103 or later immediately. Verify patch deployment via Chrome's internal version check (Menu > About Google Chrome). For enterprise environments, use update policies to enforce minimum version requirements and accelerate rollout. Consider disabling GPU acceleration in high-security contexts as a temporary mitigation if immediate patching is not feasible, though this impacts performance.
Patch guidance
Apply Chrome version 149.0.7827.103 or newer. Most users on stable channel with auto-update enabled will receive this patch automatically; verify completion by navigating to chrome://version/. In enterprise environments, use Chrome policy templates (e.g., MinimumChromeVersion) to enforce the patched version. Extended Stable channel users and those on custom build schedules should prioritize this update given its High severity rating. Test in non-production environments first if organizational policy requires it, but do not delay deployment beyond a few days.
Detection guidance
Monitor Chrome version compliance via endpoint management tools or vulnerability scanning. Log GPU process crashes or memory corruption incidents (check Chrome crash reports and OS-level core dumps for patterns). Intrusion detection systems should flag attempts to deliver WebRTC-triggering HTML payloads to Chrome instances. Network telemetry showing anomalous WebRTC behavior or GPU process restarts may indicate attack attempts. Review browser security audit logs and GPU process sandboxing status to detect tampering.
Why prioritize this
This vulnerability merits immediate patching priority despite not being on the KEV list. It combines High CVSS score (7.5), broad platform coverage (Windows/macOS/Linux), and straightforward user interaction trigger (visiting a webpage). While GPU process compromise is a prerequisite, the impact scope is confidentiality, integrity, and availability—making it a credible escalation vector for sophisticated attackers targeting high-value users. The absence from KEV does not negate urgency; it reflects lack of documented public exploitation, not low risk.
Risk score, explained
The CVSS 3.1 score of 7.5 reflects high potential impact (C:H/I:H/A:H) balanced against moderate attack complexity due to sandbox constraints and mandatory user interaction. The network vector (AV:N) elevates risk compared to local-only flaws. In context, this is a significant but not critical vulnerability—patch within days, not weeks, but not an emergency like a zero-day with active exploitation.
Frequently asked questions
Do I need to patch this immediately if I'm using auto-update?
Yes, but your risk window is narrow. Auto-update deployments typically roll out within hours to days. Verify your current version (chrome://version/) is 149.0.7827.103 or later. If not, restart Chrome to trigger the update, then restart your system if prompted.
What does 'GPU process compromise' mean, and does this require two separate exploits?
The GPU process is Chrome's sandboxed component that handles graphics rendering. This vulnerability assumes an attacker has already compromised that sandbox (a separate exploit). Once inside, they can exploit this out-of-bounds read to escape further or steal data. It's not a single-click remote code execution, but a chained attack vector.
Is there a workaround if I can't patch immediately?
Disabling GPU acceleration (Settings > Advanced > System, toggle 'Use hardware acceleration' off) removes the attack surface temporarily. However, this degrads performance and is not a permanent fix. Patch as soon as possible—do not rely on workarounds for extended periods.
Why is this marked High severity but not on CISA's KEV list?
KEV tracks vulnerabilities with documented active exploitation in the wild. CVE-2026-11667 has not been observed being actively exploited yet, which is why it's not listed. High CVSS score and broad impact still warrant urgent patching regardless of KEV status.
This analysis is provided for informational purposes to help security teams prioritize patching and risk mitigation. It is not a substitute for vendor advisories or your organization's security policy. CVSS scores and severity ratings are based on published CVE data; actual impact may vary depending on your environment, Chrome version, and user behavior. Verify patch availability and compatibility with your systems before deployment. This vulnerability is not currently documented as actively exploited, but absence from public exploit databases does not guarantee safety. Organizations should follow their standard patch management and change control procedures when deploying updates. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10889HIGHCritical ANGLE Sandbox Escape in Google Chrome – Patch to 149.0.7827.53
- CVE-2026-10927HIGHChrome Sandbox Escape via Dawn Out-of-Bounds Read
- CVE-2026-10941HIGHSkia Out-of-Bounds Memory Vulnerability in Chrome – Urgent Patch Required
- CVE-2026-11015HIGHCritical Chrome WebGPU Out-of-Bounds Read Vulnerability
- CVE-2026-11077HIGHChrome Dawn Graphics Vulnerability – Sandbox Escape Risk
- CVE-2026-11091HIGHCritical Chrome Memory Corruption Vulnerability in Dawn Graphics Engine
- CVE-2026-11111HIGHChrome Out-of-Bounds Read in ANGLE Graphics Engine — Patch Guidance
- CVE-2026-11191HIGHOut-of-Bounds Memory Access in Chrome ANGLE Library