CVE-2026-11694: Chrome ServiceWorker Use-After-Free Code Execution Vulnerability
A use-after-free flaw in Google Chrome's ServiceWorker implementation could allow an attacker who has already compromised the renderer process to run malicious code within the sandbox. The vulnerability requires user interaction (visiting a specially crafted webpage) but poses a direct path to code execution for an attacker with partial system access.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.5 HIGH · CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-416
- Affected products
- 4 configuration(s)
- Published / Modified
- 2026-06-09 / 2026-06-17
NVD description (verbatim)
Use after free in ServiceWorker in Google Chrome prior to 149.0.7827.103 allowed a remote attacker who had compromised the renderer process to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-11694 is a use-after-free vulnerability (CWE-416) residing in Chrome's ServiceWorker subsystem. The defect allows a compromised renderer process to trigger memory access violations when ServiceWorker objects are improperly freed and subsequently referenced. An attacker must craft a malicious HTML page and convince a user to visit it; the renderer compromise is a prerequisite. Exploitation leads to arbitrary code execution within the sandbox boundary. Chrome versions prior to 149.0.7827.103 are affected.
Business impact
For organizations relying on Chrome as a primary browser or for web-based development workflows, this vulnerability creates a two-stage attack vector: initial renderer compromise followed by sandbox escape or privilege escalation. The requirement for user interaction (visiting a malicious page while the renderer is already compromised) limits broad exploitation, but targeted supply-chain or phishing campaigns could weaponize this effectively. Affected systems may face data exfiltration, malware installation, or lateral movement within corporate networks.
Affected systems
Google Chrome versions before 149.0.7827.103 on Windows, macOS, and Linux are vulnerable. The listing of the Linux kernel and host operating systems reflects the platform scope; however, the vulnerability itself resides in the Chrome browser. Verify your organization's Chrome deployment version against the patched release.
Exploitability
Exploitation requires two preconditions: (1) a compromised renderer process, and (2) user interaction to visit a crafted HTML page. The CVSS score of 7.5 (High) reflects the high impact (confidentiality, integrity, availability) but acknowledges the elevated attack complexity and user interaction requirement. This is not a zero-click or drive-by worm vector; it is most dangerous in targeted attacks where the renderer compromise is already established or in advanced persistent threat scenarios.
Remediation
Upgrade Google Chrome to version 149.0.7827.103 or later. Deploy updates across all managed endpoints using your organization's software deployment mechanisms. For environments where immediate patching is not feasible, consider disabling ServiceWorker functionality or restricting access to untrusted web content. Monitor renderer process integrity to detect potential compromise before exploitation of this flaw.
Patch guidance
Google Chrome updates are typically rolled out automatically; however, verify that affected systems have received the patch by checking Settings > About Chrome or querying the version programmatically. For managed deployments, use Chrome policy settings (e.g., update policies in Active Directory or Apple MDM) to enforce 149.0.7827.103 or later. Test patches in a controlled environment before enterprise-wide rollout. Verify against Google's official release notes to confirm the fix inclusion.
Detection guidance
Monitor for suspicious ServiceWorker registration patterns, unusual memory access errors in Chrome renderer processes, and crash dumps mentioning ServiceWorker. Collect browser security logs and sandbox violation alerts from endpoint detection and response (EDR) tools. Examine web access logs for visits to suspicious or newly registered domains that might host exploit pages. Cross-correlate renderer crashes with user activity timelines to identify potential attack windows.
Why prioritize this
Although this vulnerability requires renderer compromise as a prerequisite, it represents a critical escalation path once an attacker has a foothold. The High severity rating and sandbox-escape potential justify rapid prioritization in patching schedules. Organizations with high-value targets, development teams relying on Chrome extensions, or users frequently visiting untrusted sites should treat this as a priority. However, it is not as urgent as an unauthenticated remote code execution flaw.
Risk score, explained
The CVSS 3.1 score of 7.5 reflects: (1) High impact across confidentiality, integrity, and availability; (2) network-based attack vector; (3) high attack complexity due to renderer compromise requirement; (4) requirement for user interaction; and (5) unchanged scope (sandbox isolation). The High severity category is appropriate for a code execution flaw, though the prerequisites prevent it from reaching Critical.
Frequently asked questions
Can this vulnerability be exploited without user interaction?
No. The attacker must trick a user into visiting a malicious webpage while the renderer process is already compromised. This dual requirement significantly limits mass exploitation.
Does this flaw break out of the Chrome sandbox entirely?
The vulnerability allows code execution within the sandbox. Whether sandbox escape is possible depends on the specific attack chain and the presence of additional vulnerabilities. Organizations should assume defense-in-depth is necessary.
Are older versions of Chrome still supported if I cannot upgrade to 149.0.7827.103?
Google Chrome follows a rapid release cycle with security updates released regularly. Versions significantly older than the current release do not receive security patches. Upgrade to 149.0.7827.103 or later as soon as feasible.
Which operating systems are affected?
The vulnerability affects Chrome on Windows, macOS, and Linux. Update Chrome across all platforms in your environment. The operating system itself is not directly vulnerable; the browser application is the affected component.
This analysis is based on the published CVE record as of the modification date (2026-06-17). Patch version numbers and affected product lists reflect vendor advisories; verify against official Google Chrome release notes and security bulletins for your specific deployment. This vulnerability is not currently listed in the CISA KEV catalog. Organizations should conduct internal testing before deploying patches to production environments. Exploit code details are not disclosed in this analysis; refer to Google's official security advisory for technical remediation guidance. This information is provided for security planning purposes and does not constitute professional security advice for any specific organization. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10001HIGHChrome Sandbox Escape via PerformanceManager Use-After-Free
- CVE-2026-10002HIGHGoogle Chrome PDFium Use-After-Free Vulnerability (CVSS 8.8)
- CVE-2026-10003HIGHChrome Use-After-Free Code Execution Vulnerability Analysis
- CVE-2026-10007HIGHChrome Use-After-Free in SVG Arbitrary Code Execution (CVSS 8.8)
- CVE-2026-10012HIGHChrome Skia Use-After-Free Sandbox Escape (v148.0.7778.216)
- CVE-2026-10013HIGHUse-After-Free in Chrome WebCodecs – Patch Guide & Risk Assessment
- CVE-2026-10016HIGHUse-After-Free in Chrome DOM – Sandbox Code Execution Vulnerability
- CVE-2026-10882HIGHCritical Chrome Use-After-Free RCE Vulnerability – Exploit Details & Patch Guidance