Skip to main content

Google Chrome CVE-2026-11230

| EUVDEUVD-2026-34691 HIGH
Use After Free (CWE-416)
2026-06-04 chrome-cve-admin@google.com GHSA-78m8-95p2-9vf9
High
Disputed · 8.8 NVD
Share

Severity by source

Sources disagree (Low–High)
NVD PRIMARY
8.8 HIGH
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative
Red Hat
8.8 LOW
qualitative

vuln.today treats the vendor’s rating as authoritative. A higher third-party CVSS (e.g. CISA-ADP) is shown for transparency but does not drive the headline severity.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
Jun 05, 2026 - 03:13 vuln.today
CVSS changed
Jun 05, 2026 - 02:22 NVD
8.8 (HIGH)
CVE Published
Jun 04, 2026 - 23:17 nvd
UNKNOWN (no severity yet)
CVE Published
Jun 04, 2026 - 23:17 nvd
HIGH 8.8

DescriptionNVD

Use after free in Extensions in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Low)

AnalysisAI

Remote code execution in Google Chrome prior to 149.0.7827.53 stems from a use-after-free flaw in the Extensions component, allowing a remote attacker who tricks a user into visiting a crafted HTML page to execute arbitrary code inside the browser's renderer sandbox. The issue is rated High by NVD (CVSS 8.8) despite Chromium's own Low severity tag, and no public exploit identified at time of analysis. A vendor patch is available via the June 2026 Stable Channel update.

Technical ContextAI

The vulnerability is a CWE-416 Use-After-Free defect in Chrome's Extensions subsystem, the component responsible for managing installed browser extensions and their interactions with web content and browser APIs. Use-after-free conditions occur when memory is freed but a dangling pointer is later dereferenced; an attacker who can groom the heap and time the access can coerce the freed slot into holding attacker-controlled data, typically yielding type confusion or control-flow hijack. Because Extensions runs inside Chrome's renderer/extension process context, exploitation as described lands the attacker inside the Chromium sandbox rather than at the host OS level, meaning a separate sandbox escape would be required for full compromise.

RemediationAI

Vendor-released patch: Google Chrome 149.0.7827.53 - update via the Stable Channel update announced at https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html, typically delivered by Chrome's built-in auto-updater on next browser restart. Enterprise administrators should validate rollout via group policy or MDM and force-restart browsers where the update has staged but not applied. As a compensating control until patching completes, disable or restrict installation of non-essential browser extensions through the ExtensionInstallBlocklist / ExtensionInstallAllowlist policies, which reduces the attack surface of the Extensions subsystem at the cost of breaking user-installed productivity extensions; site-isolation and strict per-origin renderer enforcement should remain enabled as they help contain renderer-level compromises. Downstream Chromium browser users should consult their vendor's advisory and apply the corresponding upstream merge once published.

Vendor StatusVendor

SUSE

Severity: Important
Product Status
SUSE Package Hub 15 SP7 Fixed
openSUSE Leap 16.0 Fixed
openSUSE Tumbleweed Fixed
SUSE Package Hub 15 SP7 Affected

Share

CVE-2026-11230 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy