CVE-2026-11224

Published Jun 4, 2026

Last updated 2 days ago

CVSS high 8.1

Overview

Description
Use after free in Chromoting in Google Chrome on Linux prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code via malicious network traffic. (Chromium security severity: Low)
Source
chrome-cve-admin@google.com
NVD status
Analyzed
Products
chrome

Risk scores

CVSS 3.1

Type
Secondary
Base score
8.1
Impact score
5.9
Exploitability score
2.2
Vector string
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity
HIGH

Weaknesses

chrome-cve-admin@google.com
CWE-416

Social media

Hype score
Not currently trending

Configurations

Related CVEs

  1. Inappropriate implementation in Cast in Google Chrome prior to 149.0.7827.53 allowed an attacker on the local network segment to bypass discretionary access control via malicious network traffic. (Chromium security severity: Low)CVE-2026-11276
  2. Use after free in TabStrip in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: Low)CVE-2026-11262
  3. Integer overflow in GPU in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Low)CVE-2026-11256
  4. Insufficient validation of untrusted input in Storage Access API in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low)CVE-2026-11255
  5. Inappropriate implementation in Permissions in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)CVE-2026-11254

References

Sources include official advisories and independent security research.