HIGH 8.8

CVE-2026-11699: Chrome Bluetooth Use-After-Free on macOS

A use-after-free vulnerability exists in the Bluetooth component of Google Chrome on macOS. An attacker can craft a malicious webpage that, when visited by a user, exploits this flaw to corrupt the browser's memory and potentially execute arbitrary code. The vulnerability requires user interaction (visiting a link or webpage) but does not require the victim to have any special privileges. Google has assigned it high severity and has released a patch in Chrome version 149.0.7827.103.

Source data · NVD / CISA · public domain

CVSS
3.1 · 8.8 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-416
Affected products
2 configuration(s)
Published / Modified
2026-06-09 / 2026-06-17

NVD description (verbatim)

Use after free in Bluetooth in Google Chrome on Mac prior to 149.0.7827.103 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-11699 is a use-after-free vulnerability (CWE-416) in the Bluetooth implementation within Google Chrome on macOS. The flaw allows a remote attacker to trigger heap corruption by serving a specially crafted HTML page. The vulnerability manifests when Chrome's Bluetooth subsystem references memory that has already been freed, leading to potential code execution with the privileges of the browser process. The attack is network-based and requires only user interaction—no additional privilege escalation is needed.

Business impact

For organizations relying on macOS endpoints running Chrome, this vulnerability poses a direct risk to employee workstations. Successful exploitation could allow attackers to gain code execution on an unpatched machine, potentially leading to data theft, malware installation, or lateral movement within the network. The attack surface is broad because it only requires a user to visit a compromised or attacker-controlled website. Organizations without rapid patching processes face meaningful exposure.

Affected systems

Google Chrome on Apple macOS prior to version 149.0.7827.103 is vulnerable. The vulnerability does not affect Chrome on Windows, Linux, or other platforms—it is specific to the macOS implementation of the Bluetooth component. Users should verify their current Chrome version and macOS configuration to determine exposure.

Exploitability

Exploitability is moderately straightforward. The attack requires crafting a malicious HTML page and enticing a user to visit it, but does not require social engineering beyond typical drive-by download or watering-hole scenarios. No zero-click exploitation or user authentication bypass is needed. The high CVSS score (8.8) reflects the combination of network accessibility, low complexity, and high impact (confidentiality, integrity, and availability all compromised). However, no public exploit code or active in-the-wild attacks have been formally documented in the KEV catalog, suggesting the window for proactive patching remains open.

Remediation

Update Google Chrome to version 149.0.7827.103 or later on all macOS endpoints. The patch addresses the use-after-free condition in the Bluetooth subsystem. Organizations should prioritize this update for employees with macOS machines and enforce Chrome auto-updates where possible. Verify deployment through automated patch management or manual version confirmation.

Patch guidance

Deploy Chrome version 149.0.7827.103 or later across all macOS endpoints. Most users can rely on Chrome's automatic update mechanism, which typically rolls out patches within 24 hours. For enterprise environments using managed Chrome deployments, use your device management tool (MDM) to enforce the update. Test the patch in a non-production environment first if your organization maintains strict change control. After patching, confirm rollout using Chrome's built-in update status or your MDM console.

Detection guidance

Monitor for Chrome process behavior on macOS systems, particularly anomalous Bluetooth stack activity or unexpected crashes of the Chrome process. Endpoint Detection and Response (EDR) tools should flag heap corruption exploitation attempts. Network-based detection is limited but may catch malicious HTML distribution through DNS or proxy logs. Since the vulnerability requires user browsing, monitor for indicators of compromise on macOS workstations visited during the pre-patch window. User education about visiting untrusted sites remains a valuable supplementary control.

Why prioritize this

This vulnerability merits rapid attention due to its high CVSS score, network accessibility, and low attack complexity. Although not yet in the KEV catalog, the combination of Bluetooth being a proximity-oriented component and the use-after-free nature creates risk for both internal network compromise and cross-platform lateral movement. Prioritize macOS-heavy organizations and users who access public or untrusted web content. Patch within 7–14 days for most deployments.

Risk score, explained

The CVSS 3.1 score of 8.8 (HIGH) reflects: (1) network-based attack vector requiring no special access; (2) low attack complexity—only a crafted HTML page is needed; (3) user interaction required but commonplace; (4) impact on all three security pillars (confidentiality, integrity, availability) through heap corruption leading to potential code execution. The score does not include exploit maturity or prevalence adjustments, as no active exploitation has been formally documented. Organizations should treat this as a high-priority but not critical vulnerability if systems are already actively monitored and users are educated about phishing.

Frequently asked questions

Does this vulnerability affect Chrome on Windows or Linux?

No, CVE-2026-11699 is specific to the macOS implementation of Chrome's Bluetooth component. Windows and Linux users are not affected.

What happens if I visit a malicious webpage before patching?

If you visit a crafted webpage before patching, an attacker may corrupt your Chrome process's memory, potentially leading to code execution with the same privileges as your browser. This is why prompt patching is important. If you suspect exposure, restart your browser and run a malware scan.

Is there an automatic patch, or do I need to manually update Chrome?

Chrome includes automatic update functionality; if your device has internet access and you allow updates, your browser should self-update to 149.0.7827.103 or later within 24 hours. You can manually check by clicking the menu, selecting 'About Google Chrome,' and letting it check for updates.

Are there known active exploits in the wild for this vulnerability?

As of the publication date, this vulnerability is not listed in the CISA KEV catalog, meaning no widespread in-the-wild exploitation has been formally documented. However, the vulnerability is public, so vigilance is still warranted—patch promptly rather than waiting for evidence of active attacks.

This analysis is based on official vulnerability data published by Google and NIST as of June 2026. Specific patch version numbers and timelines should be verified against the official Chrome release notes and vendor advisories. Risk assessments are general and should be tailored to your specific environment, asset inventory, and threat model. Organizations should consult their security teams and vendor documentation before implementing any remediation steps. SEC.co assumes no liability for the completeness or accuracy of third-party vendor advisories. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).