Skip to main content

Google Chrome CVE-2026-11631

| EUVD-2026-35231 HIGH
Use After Free (CWE-416)
2026-06-09 chrome-cve-admin@google.com GHSA-xhf8-jxcw-9cvj
Google Memory Corruption Use After Free Microsoft Denial Of Service Red Hat Suse
8.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.3 HIGH
AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
SUSE
CRITICAL
qualitative
Red Hat
9.9 HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
Jun 09, 2026 - 11:23 vuln.today
CVSS changed
Jun 09, 2026 - 11:22 NVD
8.3 (HIGH)
CVE Published
Jun 09, 2026 - 00:16 nvd
HIGH 8.3
CVE Published
Jun 09, 2026 - 00:16 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

Use after free in Aura in Google Chrome on Windows prior to 149.0.7827.103 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)

AnalysisAI

Sandbox escape in Google Chrome on Windows versions prior to 149.0.7827.103 allows a remote attacker who has already compromised the renderer process to break out of the browser sandbox via a crafted HTML page exploiting a use-after-free in the Aura UI framework. Google rates the underlying Chromium issue as Critical severity, though exploitation requires a prior renderer compromise and user interaction (visiting a malicious page). …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Lure user to crafted HTML page
Delivery
Trigger separate renderer RCE in V8/Blink
Exploit
Send crafted IPC to browser process
Install
Drive Aura into use-after-free state
C2
Reclaim freed object and hijack control flow
Execute
Execute code in unsandboxed browser process
Impact
Achieve sandbox escape on Windows host
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires three concrete prerequisites that must all hold: (1) the target must be running Google Chrome on Windows at a version prior to 149.0.7827.103 - Aura on other platforms and other browser engines are out of scope of this CVE; (2) the attacker must already have arbitrary code execution inside Chrome's sandboxed renderer process, typically obtained by chaining a separate renderer-side vulnerability such as a V8 or Blink bug, since the Aura code path is not reachable from untrusted web content directly; and (3) the victim must perform user interaction by navigating to or rendering a crafted HTML page (UI:R in the CVSS vector). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment This is a chained-exploit primitive rather than a standalone RCE: the CVSS 8.3 score reflects AV:N/AC:H/PR:N/UI:R/S:C with high impact on confidentiality, integrity, and availability, but the High attack complexity and the description's explicit prerequisite of a 'compromised renderer process' mean an attacker must already hold a renderer RCE (typically a separate V8 or Blink bug) before this issue becomes useful. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker first lures a target to a malicious or compromised website that delivers a renderer-process exploit (for example, a V8 type confusion) to gain code execution inside the sandboxed renderer. From there the attacker's payload sends crafted IPC messages or DOM/UI events that drive the browser-process Aura code into the use-after-free state, then sprays the freed allocation to gain control of the dangling pointer's referent, achieving code execution in the unsandboxed browser process and full escape onto the Windows host. …
Remediation Update Google Chrome on Windows to the vendor-released patch version 149.0.7827.103 or later via the Stable channel (advisory: https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0153744567.html); Chrome's auto-updater will deliver this on next browser restart, so enterprise admins should force a relaunch rather than rely on user behavior. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Identify all Windows systems running Chrome versions prior to 149.0.7827.103 using asset inventory or endpoint detection tools. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

SUSE

Severity: Critical
Product Status
openSUSE Leap 16.0 Fixed
openSUSE Tumbleweed Fixed

Share

CVE-2026-11631 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy