← Back to Feed CACHED · 2026-05-17 09:42:19 · cache_key CVE-2025-29912
CVE-2026-10888 · CWE-416 · Disclosed 2026-06-04

Use after free in Cast Streaming in Google Chrome prior to 149

ASSESSED — NOISGATE V0.5
Vendor
Reassessed
Verdict:
01 · The Real Story

This is a switchblade that only opens if the attacker is already standing in your hallway

CVE-2026-10888 is a use-after-free in Chrome Cast Streaming that affects Google Chrome builds before 149.0.7827.53; the June 2026 desktop rollout points to 149.0.7827.53/54 on Windows and macOS and 149.0.7827.53 on Linux as the fixed line. The bug sits on a local-network-facing Cast path, so the attacker is not driving this from the public internet; they need to be on the same local network segment and then feed Chrome malicious Cast-related traffic to reach code execution.

The vendor's HIGH 8.8 score is technically defensible in a lab because memory corruption plus no auth / no user interaction is serious. In enterprise reality, though, AV:A is doing a lot of work: this is a post-perimeter, same-LAN attack, impact is described as inside the sandbox, there is no KEV listing, and the supplied EPSS is effectively zero. That combination makes this a patch promptly but not pager-worthy browser issue.

"Real bug, real RCE potential, but the same-LAN requirement and sandboxed impact keep this out of the fire-drill tier."
02 · The Attack Path

4 steps from start to impact.

STEP 01

Get onto the victim's Layer-2 neighborhood

The attacker first needs an adjacent-network position: same Wi-Fi, same office subnet, same guest VLAN with poor isolation, or another foothold already inside the enterprise. A practical operator would pair ordinary discovery tooling like arp-scan, nmap, or mdns-scan with passive traffic observation to identify likely Chrome endpoints and Cast-capable environments.
Conditions required:
  • Attacker has access to the same local network segment as the victim
  • Enterprise network permits peer reachability or weak client isolation
Where this breaks in practice:
  • Modern enterprise Wi-Fi often enables client isolation or NAC
  • Being on the same segment usually implies the attacker already cleared an earlier access hurdle
Detection/coverage: External attack-surface scanners will miss this. NAC, WLAN telemetry, east-west flow logs, and unusual mDNS/SSDP chatter are better signals than perimeter vuln scans.
STEP 02

Find a Chrome endpoint exposing the Cast traffic path

The attacker then needs a running, vulnerable Chrome build with the Cast Streaming code reachable in the victim session. Tooling would likely include scapy or custom packet generators to enumerate or stimulate Cast-related traffic behavior without needing browser interaction from the user.
Conditions required:
  • Victim runs Chrome prior to 149.0.7827.53
  • Chrome is running and the Cast-related code path is reachable
Where this breaks in practice:
  • Browser auto-update shrinks the exploitable population fast
  • Not every managed desktop is actively using Cast features at any given moment
Detection/coverage: Good EDR can inventory browser versions; most generic network scanners cannot prove this code path is reachable on a host.
STEP 03

Trigger the use-after-free with malicious network traffic

With target and position established, the attacker sends crafted local-network traffic to the Cast Streaming component to hit the dangling-pointer condition. Weaponization here is non-trivial memory-corruption work even if the published CVSS lists AC:L; in practice, reliable exploitation still depends on exact packet shaping, browser state, and modern mitigations.
Conditions required:
  • Attacker can send malformed Cast-related traffic to the victim host
  • Vulnerable code path can be exercised remotely over the local segment
Where this breaks in practice:
  • Exploit reliability for browser UAFs is rarely point-and-click
  • Platform hardening and Chrome mitigations reduce success rates
Detection/coverage: Network IDS may catch obvious malformed traffic only if signatures exist. EDR/browser crash telemetry is more likely to reveal failed attempts than successful pre-exploitation staging.
STEP 04

Land code execution inside Chrome's sandbox

The advertised impact is arbitrary code execution inside a sandbox, not immediate host takeover. That means the attacker still has to live with browser sandbox boundaries or pair this with a second bug for full endpoint compromise.
Conditions required:
  • Exploit succeeds against the target build
  • No additional containment stops the browser process
Where this breaks in practice:
  • Sandboxed execution limits direct blast radius
  • Follow-on privilege escalation or sandbox escape is not established in the supplied intel
Detection/coverage: EDR process-tree anomalies, renderer/browser crashes, and child-process abuse are the practical detection points. Vulnerability scanners will not validate successful in-sandbox execution.
03 · Intelligence Metadata

The supporting signals.

In-the-wild statusNo public exploitation evidence in the supplied intel, and not KEV-listed. I found no authoritative public reporting tying CVE-2026-10888 to active campaigns.
Proof-of-concept availabilityNo public PoC located for this exact CVE. Publicly indexed material for similar 2026 Chrome Cast bugs exists, but not a weaponized repo or researcher write-up for this ID.
EPSS0.00008 from your intel block — effectively background noise, consistent with a bug that is hard to mass-exploit and not internet-scalable. FIRST's EPSS documentation defines this as the 30-day exploitation probability model.
KEV statusNo. CISA's KEV catalog is the right escalation trigger for browser bugs; this one is absent as of the accessible catalog results.
CVSS vector meaningCVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H means adjacent network only, no auth, no clicks, and high theoretical impact. The biggest real-world discount is AV:A: same-LAN is a meaningful reachability limiter in enterprise fleets.
Affected versionsGoogle Chrome prior to 149.0.7827.53 per your supplied title/intel, with platform rollout notes showing the fixed train as 149.0.7827.53/54 for Windows/Mac and 149.0.7827.53 for Linux.
Fixed versionsWindows/macOS: 149.0.7827.53/54 and later. Linux: 149.0.7827.53 and later. I did not find distro-specific Chromium backport bulletins for this exact CVE in accessible sources.
Scanning / exposure dataThis is not an internet-facing server bug. Internet-wide platforms like Censys and GreyNoise are poor fit because they observe public exposure and inbound scanning, while this bug needs same-segment local traffic; use endpoint version inventory and network segmentation maps instead of Shodan-style exposure counts.
Disclosure date2026-06-04 from your intel block. The surrounding Chrome desktop security rollout appears on 2026-05-29 for early stable and was mirrored by the Canadian Cyber Centre on 2026-06-03.
Researcher / reportingNo public finder credit located in accessible authoritative sources for this exact CVE. Because the exact CVE record was not publicly indexed in the search results I could access, some metadata here is based on your supplied intel plus vendor release context.
04 · The Call

noisgate verdict.

Final Verdict
DOWNGRADED to MEDIUM (6.1/10)

The decisive factor is attacker position: this requires same-segment local-network access, which means the adversary is already inside your wireless or campus edge reality rather than exploiting you from the internet at scale. The second limiter is sandboxed code execution; serious, yes, but not equivalent to straight host compromise absent a second-stage escape.

HIGH Reachability-based downgrade driven by the adjacent-network requirement
MEDIUM Exact public metadata for CVE-2026-10888 because the authoritative CVE page was not accessible in indexed results

Why this verdict

  • Start at vendor 8.8, then subtract for AV:A: same-LAN access is a real prerequisite, not a rounding error. It implies either hostile guest/Wi-Fi proximity or an earlier foothold inside the enterprise.
  • Subtract again for population narrowing: exploitation needs a vulnerable Chrome build *and* a reachable Cast Streaming path on an actively running browser, which is a much smaller target set than generic web-content RCE.
  • Hold above LOW because no auth + no UI + memory corruption still matter: if an attacker is already on the segment, this is cleaner than phishing and can be abused without victim clicks.

Why not higher?

This is not broadly internet-reachable, not KEV-listed, and not backed by active exploitation evidence. Most importantly, the stated impact is inside Chrome's sandbox, so the blast radius is meaningfully smaller than a one-shot endpoint takeover.

Why not lower?

I am not pushing this to LOW because the bug still offers code execution potential with no credentials and no user interaction once the attacker reaches the right network position. In flat networks, shared Wi-Fi, labs, kiosks, or unmanaged branch environments, the adjacent-network hurdle is not hypothetical.

05 · Compensating Control

What to do — in priority order.

  1. Segment user endpoints from untrusted local networks — Put guest Wi-Fi, contractor SSIDs, lab VLANs, and unmanaged IoT segments behind controls that prevent peer-to-peer reachability to employee endpoints. For a MEDIUM verdict there is no mitigation SLA — go straight to the 365-day remediation window, but this control meaningfully reduces exposure while normal browser updates roll out.
  2. Restrict Cast discovery and local service chatter where business-unneeded — Filter or tightly scope local multicast and Cast-adjacent traffic between endpoint segments when casting is not a business requirement. There is no mitigation SLA for this severity, but applying this during routine network-policy cycles cuts the reachable population before patch completion.
  3. Enforce Chrome auto-update compliance — Use enterprise browser management to identify endpoints stuck below 149.0.7827.53 and remediate update drift. For MEDIUM, prioritize it through standard operations and finish actual patching inside the 365-day remediation window rather than emergency change management.
  4. Watch for abnormal east-west discovery traffic — Baseline mDNS/SSDP/Cast-related traffic on corporate WLANs and alert on unusual bursts, spoofing behavior, or device-to-device traffic that should not exist. This will not prove exploitation, but it is the right compensating detection layer for a same-LAN browser bug.
What doesn't work
  • A perimeter WAF does not help; the attack is not coming through your internet web stack.
  • Email security does not materially help; there is no phishing or user-click requirement in the advertised path.
  • MFA is irrelevant here; the vulnerability does not require account takeover or application login.
06 · Verification

Crowdsourced verification payload.

Run this on the target Windows endpoint or through your fleet tool (for example: powershell.exe -ExecutionPolicy Bypass -File .\check-chrome-cve-2026-10888.ps1). It needs only standard user rights because it reads file versions from common Chrome install paths; output is exactly VULNERABLE, PATCHED, or UNKNOWN.

noisgate-verify.ps1
POWERSHELLREAD-ONLYSAFE
# check-chrome-cve-2026-10888.ps1

# Purpose: Check whether Google Chrome on Windows is below the fixed version for CVE-2026-10888.

# Fixed baseline used here: 149.0.7827.53 (Windows)

# Exit codes: 0=PATCHED, 1=VULNERABLE, 2=UNKNOWN


$ErrorActionPreference = 'Stop'

function Get-VersionObject {
    param([string]$VersionString)
    try {
        return [version]$VersionString
    } catch {
        return $null
    }
}

$fixedVersion = Get-VersionObject '149.0.7827.53'
$chromePaths = @(
    "$env:ProgramFiles\Google\Chrome\Application\chrome.exe",
    "$env:ProgramFiles(x86)\Google\Chrome\Application\chrome.exe",
    "$env:LocalAppData\Google\Chrome\Application\chrome.exe"
)

$found = @()
foreach ($path in $chromePaths) {
    if (Test-Path $path) {
        try {
            $item = Get-Item $path
            $ver = $item.VersionInfo.ProductVersion
            if (-not $ver) { $ver = $item.VersionInfo.FileVersion }
            $verClean = ($ver -split '\s+')[0]
            $verObj = Get-VersionObject $verClean
            if ($verObj) {
                $found += [pscustomobject]@{
                    Path = $path
                    Version = $verClean
                    VersionObject = $verObj
                }
            }
        } catch {
            # Ignore broken path/version reads and continue

        }
    }
}

if ($found.Count -eq 0) {
    Write-Output 'UNKNOWN'
    exit 2
}

# If any installed Chrome copy is below fixed, treat host as vulnerable.

$vuln = $found | Where-Object { $_.VersionObject -lt $fixedVersion }
if ($vuln.Count -gt 0) {
    Write-Output 'VULNERABLE'
    exit 1
}

Write-Output 'PATCHED'
exit 0
07 · Bottom Line

If you remember one thing.

TL;DR
By Monday morning, pull a fleet inventory of Chrome versions, identify endpoints below 149.0.7827.53, and check which user networks still allow unnecessary peer-to-peer or guest-to-corporate local reachability. This lands in MEDIUM, so there is no noisgate mitigation SLA — go straight to the 365-day remediation window; use this week for version discovery and network-exposure triage, then complete the browser upgrade to 149.0.7827.53/54 or later within the noisgate remediation SLA of 365 days through normal enterprise browser management.

Sources

  1. Chrome Releases: Early Stable Update for Desktop (149.0.7827.53/.54)
  2. Canadian Centre for Cyber Security AV26-544
  3. FIRST EPSS data and field definitions
  4. CISA Known Exploited Vulnerabilities Catalog
  5. Analogous Chrome Cast CVE-2026-7349 (same-LAN Cast RCE pattern)
  6. Analogous Chrome Cast CVE-2026-7338 analysis
  7. Censys overview of internet-exposed asset discovery limits
  8. Chromecast-related port exposure background
Peer Review

What defenders are saying.

Submit a review attribution: handle + country only
0 flags selected · stored anonymously
Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.