What is the CVSS score of CVE-2026-11646?

CVE-2026-11646 has a CVSS 3.1 base score of 8.8 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.1%.

Which versions of Google Chrome are affected by CVE-2026-11646?

Google Chrome versions prior to 149.0.7827.103 contain a remote code execution vulnerability in the ViewTransitions component that allows attackers to execute arbitrary code within the browser…. A patch is available.

How to fix or mitigate CVE-2026-11646?

Within 24 hours: Audit Chrome deployment across all endpoints and identify versions prior to 149.0.7827.103; notify users and IT teams of patch urgency. Within 7 days: Deploy Chrome 149.0.7827.103 or later to all endpoints via patch management or auto-update mechanisms; prioritize user-facing workstations. Within 30 days: Verify complete remediation through scanning; confirm no vulnerable instances remain in production.

Google Chrome CVE-2026-11646

EUVD-2026-35246 HIGH

Use After Free (CWE-416)

2026-06-09 chrome-cve-admin@google.com

GHSA-6vj2-2gv4-3q34

Google Memory Corruption RCE Use After Free Denial Of Service Red Hat Suse

8.8

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

8.8 HIGH

AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

SUSE

CRITICAL

qualitative

Red Hat

8.8 HIGH

qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Jun 09, 2026 - 02:49 vuln.today

CVSS changed

Jun 09, 2026 - 01:22 NVD

8.8 (HIGH)

CVE Published

Jun 09, 2026 - 00:16 nvd

UNKNOWN (no severity yet)

CVE Published

Jun 09, 2026 - 00:16 nvd

HIGH 8.8

DescriptionCVE.org

Use after free in ViewTransitions in Google Chrome prior to 149.0.7827.103 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

AnalysisAI

Remote code execution in Google Chrome versions prior to 149.0.7827.103 stems from a use-after-free condition in the ViewTransitions component, allowing a remote attacker to execute arbitrary code within the browser's renderer sandbox by serving a crafted HTML page. Google rates the Chromium security severity as High and a vendor patch is available, though no public exploit has been identified at time of analysis and the flaw is not listed in CISA KEV.

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon

Attacker hosts crafted HTML page

Delivery

Victim lured via phishing or malvertising

Exploit

Browser invokes ViewTransitions API

Install

Use-after-free triggered on freed object

Memory primitive achieves arbitrary read/write

Execute

Shellcode executes inside renderer sandbox

Impact

Stage second-stage sandbox escape for host RCE

Recon

Attacker hosts crafted HTML page

Delivery

Victim lured via phishing or malvertising

Exploit

Browser invokes ViewTransitions API

Install

Use-after-free triggered on freed object

Memory primitive achieves arbitrary read/write

Execute

Shellcode executes inside renderer sandbox

Impact

Stage second-stage sandbox escape for host RCE

Vulnerability AssessmentAI

Exploitation	Exploitation requires the victim to load attacker-controlled HTML in a vulnerable Chrome build (prior to 149.0.7827.103) that exercises the ViewTransitions API, so user interaction (navigating to or being redirected to the malicious page) is mandatory per the CVSS UI:R metric. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	The CVSS 3.1 vector AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H produces an 8.8 score driven by network reach, low complexity, no privileges, and full CIA impact, tempered by required user interaction (visiting a malicious page) and unchanged scope (sandbox-confined). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker hosts a malicious page that uses the ViewTransitions API to trigger the use-after-free, then lures a Chrome user to visit it via phishing email, a malvertising chain, or a watering-hole compromise on a trusted site. When the victim's browser parses the page and initiates the transition, the freed object is reclaimed with attacker-controlled data, yielding arbitrary code execution inside the renderer sandbox; the attacker would then need a separate sandbox-escape bug to pivot to the host. …
Remediation	Vendor-released patch: Google Chrome 149.0.7827.103 (Stable channel); upgrade all desktop installations to this version or later by triggering Help > About Google Chrome and relaunching, or by pushing the update through your endpoint management system, per https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0153744567.html. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Audit Chrome deployment across all endpoints and identify versions prior to 149.0.7827.103; notify users and IT teams of patch urgency. …

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

SUSE

Severity: Critical

Product	Status
openSUSE Leap 16.0	Fixed
openSUSE Tumbleweed	Fixed

CVE-2026-11646 vulnerability details – vuln.today

Back

Google Chrome CVE-2026-11646

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

Vendor StatusVendor

SUSE

Share

External POC / Exploit Code