What is the CVSS score of CVE-2026-11664?

CVE-2026-11664 has a CVSS 3.1 base score of 8.8 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.1%.

Which versions of Google Chrome are affected by CVE-2026-11664?

Google Chrome contains a code execution vulnerability (CVSS 8.8) that could be triggered when users visit compromised or malicious websites.. A patch is available.

How to fix or mitigate CVE-2026-11664?

Within 24 hours: Identify all Chrome deployments and users across your organization. Within 7 days: Deploy Chrome version 149.0.7827.103 or later through your patch management system to all affected systems. Within 30 days: Confirm full deployment completion via audit or telemetry to ensure no vulnerable versions remain.

Google Chrome CVE-2026-11664

EUVD-2026-35264 HIGH

Use After Free (CWE-416)

2026-06-09 chrome-cve-admin@google.com

GHSA-c668-r5mr-qr6c

Denial Of Service Use After Free Memory Corruption Google Red Hat Suse

8.8

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

8.8 HIGH

AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

SUSE

CRITICAL

qualitative

Red Hat

8.8 HIGH

qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Jun 09, 2026 - 11:27 vuln.today

CVSS changed

Jun 09, 2026 - 11:22 NVD

8.8 (HIGH)

CVE Published

Jun 09, 2026 - 00:16 nvd

UNKNOWN (no severity yet)

CVE Published

Jun 09, 2026 - 00:16 nvd

HIGH 8.8

DescriptionCVE.org

Use after free in Payments in Google Chrome prior to 149.0.7827.103 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

AnalysisAI

Heap corruption in Google Chrome's Payments component before 149.0.7827.103 allows remote attackers to exploit a use-after-free condition by enticing a victim to visit a crafted HTML page, potentially achieving arbitrary code execution within the renderer sandbox. Chromium rates the severity as High, and CVSS 8.8 reflects network-reachable exploitation with low complexity, though successful exploitation requires user interaction (visiting an attacker-controlled page). …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Attacker hosts crafted HTML page

Delivery

Victim navigates to malicious URL

Exploit

Page invokes Payment Request API

Execution

Trigger use-after-free in Payments

Persist

Heap corruption and control of freed object

Impact

Arbitrary code execution in renderer process

Access

Attacker hosts crafted HTML page

Delivery

Victim navigates to malicious URL

Exploit

Page invokes Payment Request API

Execution

Trigger use-after-free in Payments

Persist

Heap corruption and control of freed object

Impact

Arbitrary code execution in renderer process

Vulnerability AssessmentAI

Exploitation	Victim must visit an attacker-controlled or attacker-injected HTML page using Chrome before version 149.0.7827.103 - user interaction (UI:R) is required, meaning no exploitation occurs without the user navigating to the page. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	CVSS 8.8 with AV:N/AC:L/PR:N/UI:R/C:H/I:H/A:H positions this as a high-severity client-side bug: network-reachable, low complexity, no privileges required, but UI:R means a user must visit a malicious page. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker hosts a malicious HTML page (or compromises an ad network / legitimate site) that, when loaded by a victim using a vulnerable Chrome version, invokes specific Payment Request API sequences to trigger the use-after-free, manipulate the heap, and gain code execution in the renderer process. A typical follow-on step would chain a separate sandbox escape to break out of the renderer for full host compromise. …
Remediation	Vendor-released patch: Google Chrome 149.0.7827.103 (Stable channel desktop update). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all Chrome deployments and users across your organization. …

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

SUSE

Severity: Critical

Product	Status
openSUSE Leap 16.0	Fixed
openSUSE Tumbleweed	Fixed

CVE-2026-11664 vulnerability details – vuln.today

Back

Google Chrome CVE-2026-11664

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

Vendor StatusVendor

SUSE

Share

External POC / Exploit Code