CVE-2026-10887 · Use after free in Chromoting in Google Chrome on Mac prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code via maliciou

01 · The Real Story

This is a razor blade hidden in a side door, not the front gate

The flaw is a use-after-free in Chrome's Chromoting code that can lead to arbitrary code execution on macOS systems running Google Chrome before 149.0.7827.53. In plain English: a remote attacker can send malformed Chromoting traffic that causes Chrome to keep using memory after it has been freed, creating a path to controlled memory corruption and eventual code execution in the browser process.

The raw bug class is ugly, but the practical reachability is narrower than a generic browser RCE. The decisive friction is that this sits in Chromoting, not the mainstream HTML/JS rendering path every user hits all day. That means the vendor-style severity is directionally understandable, but for enterprise patch triage this is not the same operational emergency as a no-click renderer bug with active exploitation.

"Dangerous bug, but the Chromoting-only reachability keeps it out of the top bucket for most fleets."

02 · The Attack Path

4 steps from start to impact.

STEP 01

Reach a vulnerable Chromoting client

The attacker needs a Mac endpoint running vulnerable Chrome and a path to make it process Chromoting traffic. In practice this means abusing Chrome Remote Desktop or another remoting-related Chromoting interaction rather than just luring a user to an ordinary webpage. Weaponized tooling here is typically a custom malicious Chromoting peer/service built around the Chrome bug tracked in Chromium issue 505204771.

Conditions required:

Target is macOS with Google Chrome older than 149.0.7827.53
Chromoting code path is reachable in the target's workflow
Attacker can initiate or relay malicious network traffic toward that path

Where this breaks in practice:

Chromoting is a niche feature path, not the default browser activity for most enterprise users
Many fleets do not permit Chrome Remote Desktop at all
macOS-only scope cuts population relative to mixed Windows-heavy estates

Detection/coverage: Traditional vuln scanners can confirm Chrome version, but they generally cannot prove live Chromoting reachability. Detection quality depends on endpoint inventory plus telemetry showing Chrome Remote Desktop/Chromoting use.

STEP 02

Trigger the use-after-free with crafted traffic

The exploit must shape network messages so the vulnerable Chromoting component frees an object and later reuses it. Because this is memory corruption, reliable exploitation usually requires a purpose-built exploit harness rather than commodity offensive tooling. The likely weapon is a custom protocol fuzzer/exploit chain tuned to the affected build.

Conditions required:

Precise malformed traffic reaches the vulnerable code path
Target build and allocator behavior match the exploit assumptions

Where this breaks in practice:

AC:H matters here: memory-corruption reliability is materially harder than simple input-validation bugs
Chrome version churn and exploit mitigations raise attacker development cost

Detection/coverage: Network signatures are weak unless a defender can decode the specific remoting traffic pattern. Crash telemetry, EDR browser-child anomalies, and repeated Chrome faults are more realistic indicators.

STEP 03

Convert memory corruption into code execution

After hitting the UAF, the attacker must steer heap state to gain controlled execution in the Chrome process. This is where exploit maturity separates theory from field use: a crash is easy, stable RCE is harder. The offensive tool at this stage is the exploit's heap grooming and payload delivery logic.

Conditions required:

Attacker achieves sufficient heap control
Browser mitigations do not break the chain

Where this breaks in practice:

Modern browser hardening and allocator randomness reduce reliability
A single patch level mismatch can invalidate exploit primitives

Detection/coverage: EDR may catch browser memory exploitation side effects, abnormal child processes, JIT-like shellcode behavior, or suspicious post-exploitation actions. Pure pre-execution detection is limited.

STEP 04

Post-exploitation on the Mac host

Successful code execution lands in the context available to the compromised Chrome process on the user endpoint. From there, the attacker pivots into credential theft, data access, persistence attempts, or further privilege escalation using standard macOS tradecraft. The weapon here becomes the attacker's second-stage payload delivered after browser compromise.

Conditions required:

Initial exploit succeeds
Endpoint controls do not stop second-stage activity

Where this breaks in practice:

EDR, application control, and restricted local privileges can blunt host impact
Compromise is still bounded to endpoints where the Chromoting path was actually used

Detection/coverage: This is the strongest detection point: EDR should see suspicious browser-spawned binaries, shell execution, credential store access, persistence writes, or unusual network beacons.

03 · Intelligence Metadata

The supporting signals.

In-the-wild status	No confirmed active exploitation found in official sources reviewed. Not present in the CISA KEV catalog.
Proof-of-concept availability	No public PoC located. The Chromium bug link exists but details are effectively restricted, which slows copycat exploitation.
EPSS	`0.00159` from the prompt intel, which is very low and consistent with a bug that is real but not currently seeing broad attacker attention.
KEV status	Not KEV-listed. That removes the strongest real-world urgency amplifier.
CVSS / interpretation	`CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H` means remote, no auth, no user click, but high attack complexity. That complexity is not theoretical hand-waving here; it is the main drag on real exploitability.
Affected versions	Prompt intel says Google Chrome on Mac prior to `149.0.7827.53`. Google's desktop stable advisory on 2026-06-02 shipped `149.0.7827.53/54` for Windows/Mac.
Fixed versions	Patch floor: `149.0.7827.53/54` on Windows/Mac and `149.0.7827.53` on Linux per Google's stable channel advisory. No distro-style backport story matters here because this is a Chrome client update, not a server package stream.
Scanning / exposure reality	Not internet-enumerable in any meaningful way via Shodan/Censys/FOFA because Chrome is a client application. Exposure has to be inferred from endpoint inventory, macOS fleet data, and whether users run Chrome Remote Desktop/Chromoting workflows.
Disclosure timeline	The prompt says `2026-06-04`, but Google's desktop stable release post is dated 2026-06-02 and the Canadian advisory references Google's publication on 2026-06-02. The Chromium issue was reported by Google on 2026-04-22.
Researcher / reporter	Reported by Google internally, not an external researcher, according to the Chrome stable advisory.

04 · The Call

noisgate verdict.

Final Verdict

= UNCHANGED to HIGH (7.1/10)

The single biggest reason this does not stay in the top bucket is reachability: this is a Chromoting bug, not a mass-reachable renderer bug every managed browser exercises constantly. It is still a serious remote code execution path with no auth and no user-click requirement once the code path is hit, so it remains above MEDIUM.

HIGH Version and fix metadata from Google's desktop stable advisory

MEDIUM Practical exposure reduction from Chromoting-specific reachability

MEDIUM Absence of public exploitation evidence at time of review

Why this verdict

Down from vendor-style worst case: the bug sits in Chromoting, which sharply narrows the reachable population versus a generic webpage-driven browser RCE
Still serious: AV:N/PR:N/UI:N means once the attacker can feed the vulnerable traffic path, there is no auth or user click saving you
Further downward pressure: no KEV entry, no public PoC found, and the supplied EPSS 0.00159 all argue against emergency-all-hands treatment

Why not higher?

I am not calling this CRITICAL because the attack chain appears to depend on a specialized remoting path rather than routine browsing, and that is a huge population reducer in real fleets. On top of that, there is no verified in-the-wild exploitation signal, no KEV listing, and no public exploit kit lowering attacker cost.

Why not lower?

I am not pushing this to MEDIUM because the bug class is still memory corruption with potential arbitrary code execution, and the supplied vector says remote / no auth / no UI. If you do have Macs using Chrome Remote Desktop or adjacent Chromoting workflows, the impact of a successful exploit is full endpoint compromise territory.

05 · Compensating Control

What to do — in priority order.

Disable Chromoting where unused — If your estate does not need Chrome Remote Desktop or related Chromoting workflows, turn it off and remove it from managed Macs. For a HIGH verdict, deploy this containment within 30 days; for teams with heavy remote-support usage, do the discovery and disablement decision in the first wave.
Restrict outbound remoting paths — Use MDM, browser policy, and egress controls to block or tightly scope Chrome Remote Desktop/Chromoting traffic to approved support workflows only. This reduces the reachable population immediately and should be in place within 30 days.
Prioritize macOS Chrome inventory — Build a targeted list of Macs running Chrome older than 149.0.7827.53 and intersect it with users or groups authorized for remote-support tooling. That gives you the true at-risk slice instead of treating every Chrome install as equally exposed; complete that targeting work within 30 days.
Tune EDR for browser-to-shell pivots — Harden detections for Google Chrome spawning shells, interpreters, installers, or unusual child processes on macOS. This will not prevent the memory bug, but it improves your chance of catching post-exploitation activity while the patch rolls out; tune within 30 days.

What doesn't work

A WAF does not meaningfully protect a local browser client from Chromoting traffic paths.
Email security is irrelevant unless the attack also depends on a separate lure chain, which is not part of the described exploit conditions.
MFA does not stop memory corruption inside the browser process once the vulnerable code path is reached.

06 · Verification

Crowdsourced verification payload.

Run this on the target Mac endpoint or through your MDM remote shell, not from an auditor workstation. Invoke it as bash check_chrome_cve_2026_10887.sh or sudo bash check_chrome_cve_2026_10887.sh; admin rights are not usually required if Chrome is installed in /Applications, but sudo helps in locked-down environments.

noisgate-verify.sh

BASHREAD-ONLYSAFE

#!/bin/bash
# check_chrome_cve_2026_10887.sh
# Purpose: Check whether Google Chrome on macOS is below the fixed version for CVE-2026-10887.
# Output: VULNERABLE / PATCHED / UNKNOWN
# Exit codes: 0=PATCHED, 1=VULNERABLE, 2=UNKNOWN

set -u

APP_PATH="/Applications/Google Chrome.app"
INFO_PLIST="$APP_PATH/Contents/Info.plist"
FIXED_VERSION="149.0.7827.53"

version_ge() {
  # returns 0 if $1 >= $2
  [ "$1" = "$2" ] && return 0
  local IFS=.
  local i
  local -a va=($1) vb=($2)

  # pad shorter array with zeros
  for ((i=${#va[@]}; i<${#vb[@]}; i++)); do va[i]=0; done
  for ((i=${#vb[@]}; i<${#va[@]}; i++)); do vb[i]=0; done

  for ((i=0; i<${#va[@]}; i++)); do
    if ((10#${va[i]} > 10#${vb[i]})); then
      return 0
    fi
    if ((10#${va[i]} < 10#${vb[i]})); then
      return 1
    fi
  done
  return 0
}

if [ ! -d "$APP_PATH" ] || [ ! -f "$INFO_PLIST" ]; then
  echo "UNKNOWN: Google Chrome.app not found at $APP_PATH"
  exit 2
fi

VERSION=$(/usr/bin/defaults read "$APP_PATH/Contents/Info" CFBundleShortVersionString 2>/dev/null || true)

if [ -z "$VERSION" ]; then
  echo "UNKNOWN: Unable to read Chrome version from Info.plist"
  exit 2
fi

if version_ge "$VERSION" "$FIXED_VERSION"; then
  echo "PATCHED: Google Chrome version $VERSION is >= $FIXED_VERSION"
  exit 0
else
  echo "VULNERABLE: Google Chrome version $VERSION is < $FIXED_VERSION"
  exit 1
fi

07 · Bottom Line

If you remember one thing.

TL;DR

Monday morning, do not treat this like a fleet-wide browser fire drill, but do pull a targeted report of macOS endpoints running Chrome below 149.0.7827.53 and cross-reference that with any approved Chrome Remote Desktop / Chromoting usage. Because this lands HIGH, the noisgate mitigation SLA is ≤30 days: disable or restrict Chromoting on Macs that do not need it and tighten detections for suspicious Chrome child-process behavior in that same window. Then complete the actual Chrome upgrade to 149.0.7827.53/54 within the noisgate remediation SLA of ≤180 days, with remote-support Macs and higher-trust user groups first in line.

Sources

Peer Review

What defenders are saying.

Submit a review attribution: handle + country only

0 flags selected · stored anonymously

Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.