CVE-2026-9964: Chrome macOS Bluetooth Use-After-Free Vulnerability – Patch & Detection Guide
CVE-2026-9964 is a memory safety vulnerability in Chrome's Bluetooth implementation on macOS that can allow attackers to run malicious code on a victim's computer. The attack requires two user actions: the victim must first install a malicious Chrome extension, and then interact with Bluetooth functionality in a way that triggers the underlying flaw. Once those conditions are met, the attacker can execute arbitrary code with the same privileges as the Chrome process.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.1 HIGH · CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-416
- Affected products
- 2 configuration(s)
- Published / Modified
- 2026-05-28 / 2026-06-17
NVD description (verbatim)
Use after free in Bluetooth in Google Chrome on Mac prior to 148.0.7778.216 allowed an attacker who convinced a user to install a malicious extension to execute arbitrary code via a crafted Chrome Extension. (Chromium security severity: High)
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
This vulnerability is a use-after-free (UAF) defect in the Bluetooth subsystem of Chromium on macOS prior to version 148.0.7778.216. A use-after-free occurs when code attempts to access memory that has already been freed, allowing an attacker to read sensitive data, crash the application, or achieve code execution. In this case, a malicious Chrome extension can craft specific inputs that trigger the freed memory access in the Bluetooth handling routines, leading to arbitrary code execution. The CVSS v3.1 score of 8.1 (HIGH) reflects the severity of arbitrary code execution, though the attack complexity and user interaction requirements provide some mitigation.
Business impact
An attacker exploiting this vulnerability could gain code execution on an employee's machine with Chrome privileges, potentially leading to data exfiltration, lateral movement into corporate networks, or deployment of secondary malware. However, the practical impact is constrained by the requirement that users must actively install a malicious extension—a social engineering step that security awareness and extension governance policies can help prevent. Organizations should treat this as a significant risk if users have weak extension management policies or high exposure to sophisticated phishing campaigns.
Affected systems
This vulnerability affects Google Chrome on Apple macOS systems running versions prior to 148.0.7778.216. Windows and Linux users are not impacted by this specific vulnerability. The flaw does not affect Chrome on other operating systems. macOS users who have not updated Chrome to version 148.0.7778.216 or later remain at risk.
Exploitability
Exploitation requires user interaction and social engineering: an attacker must convince a user to install a malicious extension from outside the official Chrome Web Store or through a compromised store listing. Once installed, the attacker then needs the victim to interact with Bluetooth features in a way that triggers the vulnerability. This multi-step requirement limits the risk in well-managed environments. The CVSS vector (AV:N/AC:H/PR:N/UI:N) indicates network accessibility but high attack complexity; however, the practical user interaction barrier is significant. This vulnerability has not been added to the CISA Known Exploited Vulnerabilities (KEV) catalog, suggesting active exploitation in the wild has not been documented at time of publication.
Remediation
Update Google Chrome to version 148.0.7778.216 or later on all macOS systems. Chrome typically auto-updates, but users should verify their current version in Chrome Settings > About Chrome. Organizations should enforce Chrome updates through Mobile Device Management (MDM) or endpoint management tools. Additionally, implement extension policies to restrict users from installing extensions outside the Chrome Web Store and consider allowlisting approved extensions only. Security awareness training should reinforce the dangers of installing extensions from untrusted sources.
Patch guidance
Google has patched this vulnerability in Chrome 148.0.7778.216 for macOS. Verify your current Chrome version by navigating to Chrome menu > About Google Chrome; the browser will automatically check for updates and prompt for restart if an update is available. For enterprise deployments, use your organization's update management system to deploy this version. Given the memory safety nature of the defect, this is a security patch that should be prioritized for rapid rollout. There is no workaround for users who cannot immediately update; the only mitigation is to avoid installing untrusted extensions pending the update.
Detection guidance
Monitor for suspicious Chrome extension installations by reviewing browser extension policies and audit logs in your MDM platform. Look for extensions installed outside the official Chrome Web Store or extensions with unusual permissions (especially Bluetooth or system-level access). Behavioral detection could flag unusual Bluetooth API calls from extension processes, though this requires advanced endpoint detection and response (EDR) tooling. Check for failed Chrome update attempts or systems stuck on older Chrome versions. If you suspect exploitation has occurred, review Chrome crash reports and system logs for segmentation faults or memory corruption errors coinciding with Bluetooth operations.
Why prioritize this
Although this vulnerability carries a HIGH CVSS score and permits arbitrary code execution, its real-world risk is significantly mitigated by the social engineering requirement (malicious extension installation) and the lack of evidence of active exploitation in the wild. Patch this promptly as part of your normal Chrome update cycle, but deprioritize it in favor of vulnerabilities with lower friction to exploitation or confirmed active use. Organizations with strong extension governance and user awareness training face lower risk. If you operate in a threat landscape where targeted extension-based attacks are known, raise the priority accordingly.
Risk score, explained
The CVSS 3.1 score of 8.1 (HIGH) reflects three critical factors: (1) arbitrary code execution capability, which gives the attacker complete control over the victim's Chrome process and access to stored credentials and data; (2) network accessibility, allowing remote delivery of the malicious extension; (3) high attack complexity and user interaction requirements, which reduce the likelihood of large-scale automated attacks. The score does not account for the KEV status or evidence of exploitation—factors that would further inform real-world risk. In practice, this should be treated as a HIGH-priority patch but not an emergency-tier incident.
Frequently asked questions
Do I need to worry about this if my users only install Chrome extensions from the official Chrome Web Store?
Your risk is substantially lower but not zero. While the Chrome Web Store has automated malware scanning, sophisticated attacks have occasionally bypassed it or compromised legitimate extension developer accounts. Combined with extension permission policies and user awareness training, Web Store-only policies significantly reduce exploit likelihood. However, patching remains essential as a defense-in-depth measure.
Will Chrome automatically update to the patched version, or do I need to do it manually?
Chrome includes an auto-update mechanism that typically checks for updates every few hours. However, the update is applied only after the user restarts Chrome. In enterprise environments, you should verify deployment through your MDM system rather than relying solely on auto-update. Manually check chrome://settings/help to force an immediate update check.
Can attackers exploit this without a malicious extension?
No, the vulnerability requires a malicious Chrome extension to craft the specific conditions needed to trigger the use-after-free in Bluetooth handling. This is a constraint that, while still serious, prevents broad network-based attacks. The extension requirement is a meaningful friction point that extension governance policies can mitigate.
If we block Bluetooth in our Chrome policies, are we protected?
Disabling Bluetooth access at the system or Chrome policy level would prevent this specific attack vector, though it is a blunt mitigation and may impact legitimate use cases. The proper fix is to apply the security patch. Bluetooth policy restrictions can be a temporary measure for high-risk environments pending update rollout, but should not replace patching.
This analysis is based on vulnerability data published as of 2026-06-17 and reflects the known threat landscape at that time. Patch version numbers and affected software versions reference the vendor advisory and should be independently verified before deployment. This explainer does not constitute a substitute for vendor security bulletins or your organization's risk assessment process. Exploit code and detailed attack steps are intentionally omitted; security researchers should consult coordinated disclosure guidelines and vendor advisories for technical depth. Your organization's risk tolerance, user base, and threat model may necessitate different prioritization than outlined here; consult with your security leadership and threat intelligence team before finalizing remediation decisions. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10001HIGHChrome Sandbox Escape via PerformanceManager Use-After-Free
- CVE-2026-10002HIGHGoogle Chrome PDFium Use-After-Free Vulnerability (CVSS 8.8)
- CVE-2026-10003HIGHChrome Use-After-Free Code Execution Vulnerability Analysis
- CVE-2026-10005HIGHChrome macOS Use-After-Free RCE Vulnerability (7.5 CVSS)
- CVE-2026-10007HIGHChrome Use-After-Free in SVG Arbitrary Code Execution (CVSS 8.8)
- CVE-2026-10012HIGHChrome Skia Use-After-Free Sandbox Escape (v148.0.7778.216)
- CVE-2026-10013HIGHUse-After-Free in Chrome WebCodecs – Patch Guide & Risk Assessment
- CVE-2026-10016HIGHUse-After-Free in Chrome DOM – Sandbox Code Execution Vulnerability