Use after free in Passwords in Google Chrome on Mac prior to 149

Per the supplied intel, CVE-2026-10900 is a use-after-free in Chrome's Passwords component on macOS affecting Google Chrome on Mac before 149.0.7827.53, disclosed on 2026-06-04. The described path is not a normal drive-by page load; the attacker has to get a user onto malicious content and then induce specific UI gestures, which strongly suggests the vulnerable code lives behind password-management or browser-UI flows rather than routine rendering alone.

Google's HIGH / 7.5 baseline is defensible if you score the bug in a vacuum as browser memory corruption with full CIA impact. In enterprise reality, that score overshoots: macOS-only, user interaction required, high attack complexity, no KEV, tiny EPSS, and no public exploitation evidence all compress the reachable population. This still matters because browser memory corruption is never backlog trash, but it is not the kind of fleet-wide emergency that a broad drive-by Chrome RCE would be.

Why this verdict

• Start at the vendor's 7.5, then subtract for reachability: browser memory corruption is serious, but this one is not a plain one-click web RCE.
• Specific UI gestures are a heavy friction point: this implies a multi-step lure and a narrow code path, not passive browsing.
• Mac-only meaningfully trims fleet exposure: in most enterprises, Chrome-on-Mac is a subset of endpoints, not the full browser estate.
• High complexity compounds the downgrade: reliable UAF exploitation already takes work; tying it to a finicky UI path makes it worse for the attacker.
• No exploitation signal: no KEV, no public campaign reporting, and the supplied EPSS is extremely low.

Why not higher?

Because this is not broad population, low-friction exploitation. The combination of UI:R + AC:H + macOS-only + Passwords-specific path means several prerequisites must line up before the attacker even reaches the bug, and there is no public evidence that anyone has done that at scale.

Why not lower?

Because it is still browser memory corruption in a widely deployed product exposed to internet content. If the victim path is reached, the theoretical impact is still severe, and managed Macs used by admins, developers, or executives carry enough value that this should not be dismissed as harmless.

1. Enforce Chrome auto-update on managed Macs — Use MDM or your endpoint management stack to force Chrome version compliance and relaunch behavior on macOS. For a MEDIUM noisgate verdict there is no mitigation SLA — go straight to the 365-day remediation window, but in practice browsers should be rolled much faster because update automation is low-cost.
2. Reduce browser-UI lure success — Harden phishing controls, safe-browsing enforcement, and browser isolation for high-risk users so attackers struggle to walk users through a fragile click-sequence exploit. There is no mitigation SLA at this severity, so treat this as a risk-reduction measure while patching inside the 365-day remediation window.
3. Limit privileged browsing from Macs — Keep admin sessions, production control-plane access, and sensitive SaaS administration out of the same browser profile used for general web activity. This does not fix the bug, but it cuts the value of a successful browser-context compromise while you remediate within the 365-day remediation window.
4. Watch for stale Chrome on executive and developer Macs — Prioritize the subset of Mac endpoints that routinely hold high-value sessions, secrets, and password-manager data. Even with no mitigation SLA for MEDIUM, these users are where a niche browser exploit pays off the most.

Run this on the target Mac endpoint locally, via SSH, or through your MDM script runner. Invoke it as bash check_cve_2026_10900_chrome_mac.sh "/Applications/Google Chrome.app"; no root is required, but the script must be able to read the app bundle's Info.plist.

#!/bin/bash
# check_cve_2026_10900_chrome_mac.sh
# Purpose: Check whether Google Chrome on macOS is older than 149.0.7827.53
# Output: VULNERABLE / PATCHED / UNKNOWN
# Exit codes: 0=PATCHED, 1=VULNERABLE, 2=UNKNOWN

set -u

TARGET_VERSION="149.0.7827.53"
APP_PATH="${1:-/Applications/Google Chrome.app}"
PLIST_PATH="$APP_PATH/Contents/Info.plist"

version_lt() {
  # Returns 0 if $1 < $2, else 1
  local IFS=.
  local i
  local -a va=($1) vb=($2)
  local len=${#va[@]}
  if [ ${#vb[@]} -gt $len ]; then
    len=${#vb[@]}
  fi
  for ((i=0; i<len; i++)); do
    local a=${va[i]:-0}
    local b=${vb[i]:-0}
    if ((10#$a < 10#$b)); then
      return 0
    elif ((10#$a > 10#$b)); then
      return 1
    fi
  done
  return 1
}

if [ "$(uname -s)" != "Darwin" ]; then
  echo "UNKNOWN: This script is intended for macOS targets only."
  exit 2
fi

if [ ! -d "$APP_PATH" ]; then
  echo "UNKNOWN: Chrome app bundle not found at '$APP_PATH'."
  exit 2
fi

if [ ! -f "$PLIST_PATH" ]; then
  echo "UNKNOWN: Info.plist not found at '$PLIST_PATH'."
  exit 2
fi

if ! command -v /usr/bin/defaults >/dev/null 2>&1; then
  echo "UNKNOWN: macOS 'defaults' utility not available."
  exit 2
fi

INSTALLED_VERSION=$(/usr/bin/defaults read "$APP_PATH/Contents/Info" CFBundleShortVersionString 2>/dev/null)

if [ -z "${INSTALLED_VERSION:-}" ]; then
  echo "UNKNOWN: Could not read installed Chrome version."
  exit 2
fi

if version_lt "$INSTALLED_VERSION" "$TARGET_VERSION"; then
  echo "VULNERABLE: Google Chrome version $INSTALLED_VERSION is older than $TARGET_VERSION"
  exit 1
else
  echo "PATCHED: Google Chrome version $INSTALLED_VERSION is >= $TARGET_VERSION"
  exit 0
fi

Sources

1. Chrome Releases - Early Stable Update for Desktop (149.0.7827.53/.54)
2. Chrome Releases - 2026 archive / release context
3. CISA Known Exploited Vulnerabilities Catalog
4. NVD Search
5. NVD - CVE-2026-10000 (analogous recent Chrome Passwords flaw)
6. Chrome CNA information at CVE.org
7. Canadian Centre for Cyber Security advisory for Chrome 149.0.7827.53/54