Description
Use after free in Chromoting in Google Chrome on Mac prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code via malicious network traffic. (Chromium security severity: Critical)
Published: 2026-06-04
Score: 8.1 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Chromoting, the remote desktop component of Google Chrome on macOS, contains a use-after-free flaw that allows a remote attacker to execute arbitrary code. The vulnerability is triggered by malicious network traffic directed to a Chrome instance running a version prior to 149.0.7827.53. Exploiting the flaw can lead to full control of the affected device, compromising confidentiality, integrity and availability.

Affected Systems

Any macOS machine that has Google Chrome installed with a version earlier than 149.0.7827.53 and has Chrome Remote Desktop enabled is affected. Versions 149.0.7827.53 and later contain the fix.

Risk and Exploitability

The vulnerability has a CVSS score of 8.1, indicating high severity, and is rated critical by Chromium. While the EPSS score is not published and the issue is not listed in the CISA KEV catalog, the use-after-free condition could be exploited over a network connection to a vulnerable Chrome instance. Successful exploitation grants the attacker arbitrary code execution privileges on the host system.

Generated by OpenCVE AI on June 5, 2026 at 05:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Google Chrome to version 149.0.7827.53 or later
  • If Chrome Remote Desktop is not required, uninstall or disable the remote desktop extension
  • Monitor for any unauthorized network connections aiming at the Chrome Remote Desktop port

Generated by OpenCVE AI on June 5, 2026 at 05:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 05 Jun 2026 05:45:00 +0000

Type Values Removed Values Added
Title Use-after-free in Chrome Remote Desktop Enables Remote Code Execution on macOS

Fri, 05 Jun 2026 02:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 05 Jun 2026 02:15:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Thu, 04 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Use after free in Chromoting in Google Chrome on Mac prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code via malicious network traffic. (Chromium security severity: Critical)
Weaknesses CWE-416
References

Subscriptions

Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-05T01:56:49.263Z

Reserved: 2026-06-04T17:05:56.188Z

Link: CVE-2026-10887

cve-icon Vulnrichment

Updated: 2026-06-05T01:56:45.343Z

cve-icon NVD

Status : Received

Published: 2026-06-04T23:16:50.130

Modified: 2026-06-05T02:16:51.340

Link: CVE-2026-10887

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T05:30:32Z

Weaknesses