HIGH 8.8

CVE-2026-11698: Chrome macOS Bluetooth Use-After-Free RCE Vulnerability

Google Chrome on macOS contains a use-after-free vulnerability in its Bluetooth handling code that allows attackers to corrupt heap memory when a victim visits a malicious website. The vulnerability affects Chrome versions before 149.0.7827.103 and requires user interaction (clicking a link or visiting a site) but does not require special privileges. Successful exploitation can lead to data theft, system compromise, or application crash.

Source data · NVD / CISA · public domain

CVSS
3.1 · 8.8 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-416
Affected products
2 configuration(s)
Published / Modified
2026-06-09 / 2026-06-17

NVD description (verbatim)

Use after free in Bluetooth in Google Chrome on Mac prior to 149.0.7827.103 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-11698 is a use-after-free flaw (CWE-416) in Chromium's Bluetooth subsystem on macOS. The vulnerability exists in memory management within the Bluetooth module, where freed memory is accessed after deallocation. An attacker can craft a malicious HTML page that triggers this condition when rendered by the browser. The network-accessible attack vector, combined with low complexity and requirement only for user interaction, creates a practical exploitation path. The resulting heap corruption can be leveraged to achieve code execution or information disclosure within the Chrome sandbox context.

Business impact

Organizations with macOS-based workforces using Chrome face risks of data exfiltration, particularly of credentials and sensitive information held in browser memory or local storage. While Chrome's sandbox mitigation limits direct system compromise, a successful exploit could enable lateral movement if combined with additional vulnerabilities, or persistent data theft through malware injection into the browser process. Delayed patching increases the window of exposure, especially if users frequently visit untrusted or compromised websites.

Affected systems

Google Chrome versions prior to 149.0.7827.103 on macOS systems are affected. The vulnerability does not impact Chrome on Windows, Linux, or other platforms, nor does it affect other Chromium-based browsers unless they ship the vulnerable code path. macOS users running Chrome 149.0.7827.103 or later are not affected. Organizations should audit their Chrome deployment versions and macOS inventory to identify exposure.

Exploitability

The vulnerability is practically exploitable without authentication or special user privileges. It requires only that a user view a crafted HTML page in Chrome—either by visiting a malicious website, clicking a phishing link, or opening an HTML file. No special browser settings or plugins are required. The attack surface is broad because web browsing is a routine user activity. However, the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog, suggesting active in-the-wild exploitation is not yet confirmed at the time of publication.

Remediation

Immediately upgrade Google Chrome to version 149.0.7827.103 or later on all macOS systems. The update patches the use-after-free condition in the Bluetooth handling code. Organizations should enforce automatic Chrome updates where possible, or deploy the latest version through their endpoint management tools. Verify successful deployment by checking the Chrome version in Settings > About Chrome, which will display the current build number.

Patch guidance

Google Chrome will prompt users to update automatically; administrators can expedite deployment by pushing version 149.0.7827.103 or later through MDM solutions (Jamf, Intune, etc.) or via enterprise deployment channels. Verify patch status by querying browser version telemetry or by manual spot-checks. Because this vulnerability requires user interaction and is not yet observed in active attacks, patching can follow standard change-management processes rather than emergency procedures, though timely deployment is recommended given the CVSS 8.8 severity.

Detection guidance

Monitor for Chrome crashes or unexpected terminations on macOS systems, which may indicate attempted exploitation of the heap corruption. Browser crash reports can be reviewed via chrome://crashes. Endpoint detection and response (EDR) tools should flag unusual memory access patterns or heap spraying attempts if behavioral monitoring is configured. Network monitoring offers limited utility since the attack occurs after content delivery. Prioritize detection of malicious HTML delivery vectors—monitor for suspicious external HTML downloads or phishing campaigns targeting your organization's macOS users.

Why prioritize this

A CVSS score of 8.8 (HIGH) reflects the combination of network accessibility, user-interaction requirement, and impact to confidentiality, integrity, and availability. The vulnerability affects a widely-deployed browser on a platform with significant enterprise presence. The use-after-free mechanism is a well-understood attack primitive that skilled adversaries can reliably exploit. Although not yet in CISA's KEV catalog, the technical profile and broad user base make this a priority for patching before the vulnerability becomes more widely known or actively exploited.

Risk score, explained

The CVSS 3.1 score of 8.8 reflects: network-based attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), and user interaction required (UI:R). The scope is unchanged (S:U), indicating impact is limited to the Chrome process. High impact ratings for confidentiality, integrity, and availability (C:H/I:H/A:H) reflect the potential for code execution and information disclosure via heap corruption. The score appropriately weights the practical exploitability and real-world impact of use-after-free vulnerabilities in memory-unsafe code.

Frequently asked questions

Does this vulnerability affect Chrome on Windows or Linux?

No. CVE-2026-11698 is specific to the macOS Bluetooth implementation in Chrome. Windows and Linux users are not affected by this particular vulnerability, though they should remain current on all Chrome security updates for other issues.

If I have Chrome set to auto-update, am I protected?

If automatic updates are enabled and Chrome has restarted to apply the update, yes. However, users often delay restarts or disable auto-updates for productivity reasons. Verify your current version in Settings > About Chrome—if it shows 149.0.7827.103 or later, you are patched.

Can this vulnerability be exploited without clicking a link?

The vulnerability requires viewing a malicious HTML page, which typically means the user must navigate to a URL or open an HTML file. However, this could occur through a phishing email, compromised website, or malicious advertisement—not just intentional clicks on obviously suspicious links.

What does 'use-after-free' mean and why is it dangerous?

A use-after-free occurs when code attempts to access memory that has already been freed and returned to the operating system. An attacker can fill that freed memory with malicious data before the vulnerable code accesses it, leading to heap corruption, information disclosure, or code execution.

This analysis is based on publicly available information and the vulnerability advisory from Google and Chromium project sources. Organizations should verify patch applicability and test thoroughly in their environments before deployment. SEC.co makes no warranty regarding the completeness or accuracy of derived risk assessments. Always consult the official vendor advisories and your security team before making remediation decisions. This information is provided for educational and defensive security purposes only. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).