What is the CVSS score of CVE-2026-11636?

CVE-2026-11636 has a CVSS 3.1 base score of 7.5 (High). CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.1%.

Which versions of Google Chrome are affected by CVE-2026-11636?

Google Chrome for Windows contains a code execution vulnerability (CVE-2026-11636) in versions prior to 149.0.7827.103 that activates when users visit malicious websites.. A patch is available.

How to fix or mitigate CVE-2026-11636?

Within 24 hours: Issue security alert to all Windows Chrome users and initiate distribution of Chrome 149.0.7827.103 or later, prioritizing staff in sensitive data or administrative roles. Within 7 days: Deploy patch to 80 percent of Chrome-using Windows systems and document any deferrals. Within 30 days: Complete deployment across the organization, implement update enforcement policies, and verify full version compliance through asset inventory.

Google Chrome CVE-2026-11636

EUVD-2026-35236 HIGH

Use After Free (CWE-416)

2026-06-09 chrome-cve-admin@google.com

GHSA-2qwf-fvgv-5362

Google Memory Corruption Use After Free Microsoft Denial Of Service Red Hat Suse

7.5

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

7.5 HIGH

AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

SUSE

CRITICAL

qualitative

Red Hat

8.8 HIGH

qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Jun 09, 2026 - 11:23 vuln.today

CVSS changed

Jun 09, 2026 - 11:22 NVD

7.5 (HIGH)

CVE Published

Jun 09, 2026 - 00:16 nvd

HIGH 7.5

CVE Published

Jun 09, 2026 - 00:16 nvd

UNKNOWN (no severity yet)

DescriptionCVE.org

Use after free in Autofill in Google Chrome on Windows prior to 149.0.7827.103 allowed a remote attacker who convinced a user to engage in specific UI gestures to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Critical)

AnalysisAI

Heap corruption in Google Chrome's Autofill component on Windows versions prior to 149.0.7827.103 allows remote attackers to potentially achieve code execution by luring users to a malicious HTML page and convincing them to perform specific UI interactions. Chromium rates the underlying flaw as Critical severity, though CVSS scores it 7.5 due to required user interaction and high attack complexity. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Host crafted HTML page

Delivery

Lure victim Chrome user to site

Exploit

Induce specific UI gesture on Autofill

Execution

Trigger use-after-free in renderer

Persist

Shape heap and gain code execution

Impact

Chain sandbox escape for host compromise

Access

Host crafted HTML page

Delivery

Lure victim Chrome user to site

Exploit

Induce specific UI gesture on Autofill

Execution

Trigger use-after-free in renderer

Persist

Shape heap and gain code execution

Impact

Chain sandbox escape for host compromise

Vulnerability AssessmentAI

Exploitation	Exploitation requires the victim to visit attacker-controlled HTML in Chrome for Windows prior to 149.0.7827.103 AND to perform specific UI gestures (per the description) that interact with the Autofill feature - passive page load alone is insufficient. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	Signals are mixed and should be weighed carefully. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker hosts a crafted HTML page on an attacker-controlled or compromised domain and lures a Chrome user there via phishing, malvertising, or a watering-hole. When the victim performs the specific UI gesture required by the page (for example, focusing or selecting an Autofill suggestion in a manipulated form), the Autofill code path frees an object whose dangling pointer is then reused, corrupting the heap in the renderer. …
Remediation	Vendor-released patch: Google Chrome 149.0.7827.103 for Windows; update via Chrome's built-in updater (chrome://settings/help) or by deploying the patched MSI through enterprise channels, then restart all browser processes to ensure the fix is loaded. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Issue security alert to all Windows Chrome users and initiate distribution of Chrome 149.0.7827.103 or later, prioritizing staff in sensitive data or administrative roles. …

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

SUSE

Severity: Critical

Product	Status
openSUSE Leap 16.0	Fixed
openSUSE Tumbleweed	Fixed

CVE-2026-11636 vulnerability details – vuln.today

Back

Google Chrome CVE-2026-11636

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

Vendor StatusVendor

SUSE

Share

External POC / Exploit Code