What is the CVSS score of CVE-2026-11635?

CVE-2026-11635 has a CVSS 3.1 base score of 8.3 (High). CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H. EPSS exploitation probability: 0.1%.

Which versions of Google Chrome are affected by CVE-2026-11635?

Google Chrome on macOS versions prior to 149.0.7827.103 contain a sandbox escape vulnerability (CVE-2026-11635, CVSS 8.3) that enables full system compromise once malicious content reaches the…. A patch is available.

How to fix or mitigate CVE-2026-11635?

Within 24 hours: Identify all macOS endpoints running Chrome pre-149.0.7827.103; notify users and prepare push deployment. Within 7 days: Deploy Chrome 149.0.7827.103 or later to all macOS Chrome users via automatic update mechanism or managed distribution. Within 30 days: Audit Chrome inventory to verify patch application across all macOS fleet and document remediation completion.

Google Chrome CVE-2026-11635

EUVD-2026-35235 HIGH

Use After Free (CWE-416)

2026-06-09 chrome-cve-admin@google.com

GHSA-qfhp-x82v-ppcm

Denial Of Service Use After Free Memory Corruption Google Red Hat Suse

8.3

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

8.3 HIGH

AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H

SUSE

CRITICAL

qualitative

Red Hat

9.0 HIGH

qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Jun 09, 2026 - 02:54 vuln.today

CVSS changed

Jun 09, 2026 - 02:22 NVD

8.3 (HIGH)

CVE Published

Jun 09, 2026 - 00:16 nvd

HIGH 8.3

CVE Published

Jun 09, 2026 - 00:16 nvd

UNKNOWN (no severity yet)

DescriptionCVE.org

Use after free in Bluetooth in Google Chrome on Mac prior to 149.0.7827.103 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)

AnalysisAI

Sandbox escape in Google Chrome on macOS prior to 149.0.7827.103 allows a remote attacker who has already compromised the renderer process to break out of the browser sandbox via a use-after-free flaw in the Bluetooth component, triggered by a crafted HTML page. Chromium rates the severity as Critical, and a vendor patch is available; no public exploit has been identified at time of analysis, though the bug is tracked in the Chromium issue tracker (516987814).

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon

Lure victim to crafted page

Delivery

Deliver first-stage renderer RCE

Exploit

Trigger Bluetooth use-after-free via HTML

Install

Reclaim freed object with controlled data

Hijack browser-process IPC handler

Execute

Escape sandbox to browser process

Impact

Access user data and persist on macOS

Recon

Lure victim to crafted page

Delivery

Deliver first-stage renderer RCE

Exploit

Trigger Bluetooth use-after-free via HTML

Install

Reclaim freed object with controlled data

Hijack browser-process IPC handler

Execute

Escape sandbox to browser process

Impact

Access user data and persist on macOS

Vulnerability AssessmentAI

Exploitation	Exploitation requires a prior compromise of the Chrome renderer process - this CVE is a sandbox-escape primitive, not an initial-access bug, so a separate renderer RCE or comparable in-renderer code execution must be chained first. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	Real-world risk is meaningful but conditional. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	A user with a vulnerable Chrome on macOS visits an attacker-controlled or compromised site (the UI:R interaction), where a first-stage exploit - a separate, prior renderer RCE - gains code execution inside the sandboxed renderer. The attacker then loads a crafted HTML page that drives the Web Bluetooth IPC pathway to trigger the use-after-free, reclaims the freed object with attacker-controlled data, and pivots code execution into the browser process, escaping the sandbox to access the user's files, keychain-protected secrets, and persistent state. …
Remediation	Vendor-released patch: Google Chrome 149.0.7827.103 for macOS - upgrade immediately via Chrome's built-in updater or by redeploying the managed package, then ensure end users restart the browser so the update actually takes effect (Chrome staying open indefinitely is a common reason patches don't land). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all macOS endpoints running Chrome pre-149.0.7827.103; notify users and prepare push deployment. …

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

SUSE

Severity: Critical

Product	Status
openSUSE Leap 16.0	Fixed
openSUSE Tumbleweed	Fixed

CVE-2026-11635 vulnerability details – vuln.today

Back

Google Chrome CVE-2026-11635

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

Vendor StatusVendor

SUSE

Share

External POC / Exploit Code