What is the CVSS score of CVE-2026-11656?

CVE-2026-11656 has a CVSS 3.1 base score of 8.3 (High). CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H. EPSS exploitation probability: 0.0%.

Which versions of Google Chrome are affected by CVE-2026-11656?

Google Chrome contains a sandbox escape vulnerability (CVE-2026-11656, CVSS 8.3) that grants attackers complete control of the browser process if users install a malicious extension.. A patch is available.

How to fix or mitigate CVE-2026-11656?

24 hours: Inventory Chrome deployments and document current version distribution across the enterprise. 7 days: Test Chrome 149.0.7827.103 or later in production environment and begin staged deployment. 30 days: Complete deployment of Chrome 149.0.7827.103 or later to all systems and verify zero instances of vulnerable versions remain.

Google Chrome CVE-2026-11656

EUVD-2026-35256 HIGH

Use After Free (CWE-416)

2026-06-09 chrome-cve-admin@google.com

GHSA-g324-4x5c-75c4

Denial Of Service Use After Free Memory Corruption Google Red Hat Suse

8.3

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

8.3 HIGH

AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H

SUSE

CRITICAL

qualitative

Red Hat

8.2 HIGH

qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Jun 09, 2026 - 02:45 vuln.today

CVSS changed

Jun 09, 2026 - 02:22 NVD

8.3 (HIGH)

CVE Published

Jun 09, 2026 - 00:16 nvd

UNKNOWN (no severity yet)

CVE Published

Jun 09, 2026 - 00:16 nvd

HIGH 8.3

DescriptionCVE.org

Use after free in ServiceWorker in Google Chrome prior to 149.0.7827.103 allowed an attacker who convinced a user to install a malicious extension to potentially perform a sandbox escape via a crafted Chrome Extension. (Chromium security severity: High)

AnalysisAI

Sandbox escape in Google Chrome versions prior to 149.0.7827.103 stems from a use-after-free condition in the ServiceWorker component, allowing an attacker to break out of Chrome's renderer sandbox through a crafted malicious extension. The flaw is rated Chromium severity High with CVSS 8.3 and no public exploit identified at time of analysis, but the scope-change (S:C) and full CIA impact mean a successful escape grants meaningful control over the host browser process. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon

Publish or compromise Chrome extension

Delivery

Social-engineer victim to install

Exploit

Extension invokes crafted ServiceWorker calls

Install

Trigger use-after-free in worker

Reclaim freed memory with controlled data

Execute

Escape extension sandbox to browser process

Impact

Execute code with Chrome process privileges

Recon

Publish or compromise Chrome extension

Delivery

Social-engineer victim to install

Exploit

Extension invokes crafted ServiceWorker calls

Install

Trigger use-after-free in worker

Reclaim freed memory with controlled data

Execute

Escape extension sandbox to browser process

Impact

Execute code with Chrome process privileges

Vulnerability AssessmentAI

Exploitation	The victim must install an attacker-controlled Chrome extension (UI:R in the CVSS vector), and that extension must execute crafted ServiceWorker code that drives the vulnerable allocation/free sequence to trigger the use-after-free - this is the explicit precondition stated in the description. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	The CVSS vector AV:N/AC:H/PR:N/UI:R reflects a network-reachable but high-complexity bug that requires user interaction (installing a malicious extension), and the scope change with C:H/I:H/A:H is what drives the 8.3 score. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker publishes or compromises a Chrome extension and convinces a target to install it via social engineering, a typosquatted listing, or a supply-chain takeover of a legitimate extension's developer account. Once installed, the extension issues crafted ServiceWorker operations that trigger the use-after-free, reclaim the freed allocation with attacker-controlled data, and pivot out of the extension sandbox into the broader Chrome process. …
Remediation	Update Chrome to version 149.0.7827.103 or later on the stable desktop channel - vendor-released patch is available per the Chrome Releases advisory (https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0153744567.html) and the Chromium issue tracker entry at https://issues.chromium.org/issues/513424000. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Inventory Chrome deployments and document current version distribution across the enterprise. …

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

SUSE

Severity: Critical

Product	Status
openSUSE Leap 16.0	Fixed
openSUSE Tumbleweed	Fixed

CVE-2026-11656 vulnerability details – vuln.today

Back

Google Chrome CVE-2026-11656

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

Vendor StatusVendor

SUSE

Share

External POC / Exploit Code