HIGH 8.8

CVE-2026-11687: Critical Chrome Use-After-Free on macOS – Patch Now

A memory safety flaw in Google Chrome's graphics rendering engine (Dawn) on macOS allows attackers to corrupt memory on a victim's computer by tricking them into visiting a malicious website. The vulnerability exists in Chrome versions before 149.0.7827.103 and can lead to complete compromise of the affected system.

Source data · NVD / CISA · public domain

CVSS
3.1 · 8.8 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-416
Affected products
2 configuration(s)
Published / Modified
2026-06-09 / 2026-06-17

NVD description (verbatim)

Use after free in Dawn in Google Chrome on Mac prior to 149.0.7827.103 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-11687 is a use-after-free vulnerability (CWE-416) in the Dawn graphics library component of Google Chrome running on macOS. The flaw permits a network-based attacker to trigger heap memory corruption through a specially crafted HTML page, requiring only user interaction (visiting a malicious site). The vulnerability affects Chrome versions prior to 149.0.7827.103 and carries a CVSS 3.1 score of 8.8 (High severity) with a network attack vector and low attack complexity.

Business impact

Successful exploitation could allow attackers to achieve arbitrary code execution within the Chrome process, potentially leading to data theft, malware installation, or lateral movement into the wider network. For organizations with macOS-based workforces, this represents a direct path to endpoint compromise without requiring user credential compromise or advanced social engineering.

Affected systems

The vulnerability affects Google Chrome on macOS systems running versions prior to 149.0.7827.103. Apple macOS itself is listed as an affected vendor product context, though the vulnerability is Chrome-specific. Typically, all macOS versions supported by the affected Chrome release are at risk.

Exploitability

This vulnerability requires moderate attacker effort: a threat actor must host a malicious webpage and socially engineer or advertise it to target users. The attack requires user interaction (visiting the site), but no authentication or special privileges are needed. The low attack complexity combined with network accessibility and the high impact potential make this a practical attack vector for targeted and opportunistic campaigns alike.

Remediation

Users and administrators should immediately update Google Chrome to version 149.0.7827.103 or later on all macOS systems. This patch version addresses the use-after-free condition. Organizations should prioritize rapid deployment given the ease of exploitation and severity.

Patch guidance

Verify against the official Google Chrome release notes that version 149.0.7827.103 or later is installed. On macOS, users can check Chrome version via Menu > Chrome > About Google Chrome, which will auto-update if available. For enterprise environments, push the update through your macOS management platform (Jamf, Intune, etc.) and verify completion within 48 hours. No workarounds are available; patching is the only mitigation.

Detection guidance

Monitor for unusual Chrome process behavior including unexpected child processes, suspicious memory access patterns, or abnormal CPU/memory spikes during typical browsing. Web proxies and email gateways should block known malicious hosting infrastructure if indicators emerge. Endpoint Detection and Response (EDR) tools should flag heap corruption exploitation attempts or post-exploitation activity like credential access or process injection stemming from the Chrome process.

Why prioritize this

CVE-2026-11687 merits immediate patching due to its combination of high CVSS severity (8.8), ease of exploitation (network-based, low complexity, requires only user interaction), and serious impact (full confidentiality, integrity, and availability compromise). The absence from the KEV catalog does not diminish urgency; in-the-wild exploitation may develop quickly once patching deployment lags.

Risk score, explained

The CVSS 3.1 score of 8.8 reflects a network-accessible vulnerability requiring minimal attacker complexity and no authentication, paired with consequences affecting all three CIA triad pillars. The user interaction requirement prevents a perfect 9.8 score, but the practical barriers to exploitation are low: any user visiting a compromised or attacker-controlled site becomes vulnerable.

Frequently asked questions

Do we need to patch Chrome on all macOS systems or only user-facing workstations?

Patch all macOS systems running Chrome, including shared devices, remote workers, and administrative systems. The vulnerability can be triggered by visiting a website, so any system with active browsing is at risk. Headless or server-based Chrome instances should also be updated if they process untrusted content.

Will our current EDR solution detect and stop this attack?

EDR tools vary in their heap corruption detection capabilities. Most modern EDR platforms can flag suspicious process behavior and post-exploitation activity, but may not catch the initial memory corruption. Assume EDR provides detection and incident response support rather than prevention, and prioritize patching as the primary control.

Is there a timeline difference between Chrome's auto-update and macOS-managed deployments?

Chrome's built-in auto-update may take 24–48 hours to reach all instances. If you use enterprise MDM (Jamf, Microsoft Intune, etc.), you can force deployment immediately. For rapid mitigation, manually trigger updates or use MDM to push the patch, rather than relying on passive auto-updates.

Why is this not on the KEV list if it's this critical?

The KEV (Known Exploited Vulnerabilities) catalog is populated based on evidence of active in-the-wild exploitation. A vulnerability can be severe and easily exploitable without yet appearing in KEV. Threat intelligence should treat post-publication as the highest-risk window before widespread exploit deployment becomes evident.

This analysis is provided for informational purposes and reflects the vulnerability details and patch information available as of the publication date. Threat landscape and patch status may evolve; verify all patch versions and compatibility against official Google Chrome and Apple security advisories before deployment. This explainer does not constitute legal or compliance advice. Organizations should assess their own risk tolerance and deployment timelines in consultation with security and operations teams. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).