01 · The Real Story
This is a booby-trapped password prompt, not a wormable door left off its hinges
CVE-2026-10901 is a use-after-free in Chrome's Passwords component on macOS. The affected range is Google Chrome on Mac prior to 149.0.7827.53; Google's June 2, 2026 stable desktop release shipped the fix in the 149.0.7827.53/54 train for Windows/Mac, with the Chrome release post specifically listing CVE-2026-10901: Use after free in Passwords.
The supplied vendor baseline of 7.5 / High is close to reality for enterprise triage, even though Google's release bulletin grouped this CVE under its Critical bucket. The reason not to chase the higher label is simple: this is client-side, Mac-only, user-interaction-driven exploitation with no public exploitation evidence and a very low EPSS, so real-world reach is much narrower than the raw memory-corruption impact suggests.
"Internet-reachable browser bug, but Mac-only scope and user-interaction friction keep it out of Critical"
02 · The Attack Path
4 steps from start to impact.
STEP 01
Land the victim on a weaponized page
The attacker needs a malicious site or lure that a Mac Chrome user actually opens. Weaponized tool: custom HTML/JavaScript exploit page; no public exploit repository was found, and the Chromium issue is still restricted at issues.chromium.org/516957738.
Conditions required:
- Victim is using Chrome on macOS
- Chrome version is below 149.0.7827.53
- User can be convinced to visit attacker-controlled content
Where this breaks in practice:
- Not reachable as a blind network service; this is not scan-and-fire
- Enterprise SWG, DNS filtering, and email filtering cut down lure success
- Mac-only scope removes Windows and Linux fleet from the reachable population
Detection/coverage: Perimeter scanners will miss this. Best coverage is browser version inventory, SWG/DNS logs for lure domains, and crash telemetry from Chrome/EDR.
STEP 02
Force the Passwords code path with specific user interaction
The CVE text says the attacker must convince the user to engage in specific interaction, which is the decisive friction point. Weaponized tool: the same exploit page, but now paired with UI engineering to trigger password-manager behavior rather than a pure drive-by.
Conditions required:
- Victim performs the required specific interaction
- The targeted workflow reaches the vulnerable Passwords component on Mac
Where this breaks in practice:
- This is materially harder than a passive page-load exploit
- Password-manager prompts and autofill behavior vary by profile state, saved credentials, and enterprise policy
- Users who never interact with password save/fill prompts are harder to reach
Detection/coverage: Look for anomalous password prompt activity, unusual browser-crash clusters, and proxy logs showing repeated visits to the same exploit host immediately before Chrome instability.
STEP 03
Trigger the use-after-free and gain process-level execution
If the interaction reliably reaches the vulnerable object lifecycle, the attacker can trigger a use-after-free in Passwords and attempt code execution. Weaponized tool: a browser memory-corruption exploit chain; again, no public PoC was located, which raises attacker development cost.
Conditions required:
- Precise heap grooming and bug-trigger reliability on the victim's Chrome/Mac build
- Exploit developer has a working primitive, not just a crash
Where this breaks in practice:
- Modern Chrome exploit reliability is non-trivial, especially on current macOS builds
- Absence of public PoC means most threat actors must build this themselves
- Exploit mitigations, site isolation, and renderer hardening increase failure rate
Detection/coverage: Browser crashes are the early signal. EDR may catch post-exploitation shellcode stages, but it often will not label the initial browser memory corruption cleanly.
STEP 04
Turn browser compromise into useful impact
Practical attacker value comes from session theft, credential access, or follow-on code execution from the compromised browser context. Weaponized tool: post-exploitation loaders or infostealer logic, but the blast radius is still bounded by the user's browser session and whatever additional sandbox or OS controls stand in the way.
Conditions required:
- Attacker succeeds beyond crash-only behavior
- User context contains valuable sessions, saved credentials, or accessible secrets
Where this breaks in practice:
- Without a separate privilege-escalation or sandbox-bypass stage, impact may stay within browser/user context
- macOS security controls, EDR, and limited local privileges reduce follow-on blast radius
Detection/coverage: EDR, identity telemetry, and suspicious cookie/session reuse are more likely to show the real compromise than the initial browser bug itself.
03 · Intelligence Metadata
The supporting signals.
| In-the-wild status | No public evidence of active exploitation found. Google did not state it was exploited in the wild in the June 2, 2026 release post, and it is not listed in CISA KEV. |
|---|---|
| KEV status | Not in KEV at CISA's catalog. No federal due date is attached. |
| PoC availability | No public PoC located. The Chromium tracker entry is restricted at issues.chromium.org/516957738, which is normal for fresh Chrome bugs and limits copycat use. |
| EPSS | User-supplied EPSS 0.0008 — effectively bottom-of-the-barrel exploitation likelihood relative to the wider CVE set. That lines up with the absence of public campaigns or published exploit kits. |
| CVSS interpretation | CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H means internet-reachable, no auth required, but high attack complexity and user interaction required. That is exactly the profile that deserves patching, but not panic. |
| Affected versions | Google Chrome on Mac prior to 149.0.7827.53 per the CVE text supplied. Google's desktop stable bulletin says Windows/Mac fixes landed in the 149.0.7827.53/54 train. |
| Fixed versions | Treat 149.0.7827.53 or later on macOS as fixed for this CVE. In mixed-fleet reporting, note that Google's stable desktop release references 149.0.7827.53/54 for Windows/Mac overall. |
| Exposure reality | No meaningful Shodan/Censys/FOFA exposure metric exists because this is endpoint browser software, not an internet-facing daemon. Your real exposure dataset is Mac asset inventory + Chrome version telemetry + whether Chrome is the enterprise default browser. |
| Disclosure date | Publicly disclosed 2026-06-04 per the supplied CVE intel; Google's stable desktop fix bulletin was published 2026-06-02, and Canada's Cyber Centre echoed it on 2026-06-03. |
| Researcher / reporting org | Google's release post attributes it as Reported by Google on 2026-05-27. No external researcher or public write-up was identified from primary sources. |
| Severity label mismatch | The supplied baseline says High 7.5, while Google's June 2, 2026 release post lists CVE-2026-10901 in the post's Critical section. For enterprise patch priority, the real-world frictions support a High, not emergency-Critical, treatment. |
04 · The Call
noisgate verdict.
Final Verdict
= UNCHANGED to HIGH (7.1/10)
The single biggest downward pressure is the CVE's own specific user-interaction requirement on top of being Mac-only client software. That sharply narrows the reachable population versus a true drive-by or internet-facing RCE, even though the underlying memory-corruption impact is serious.
HIGH Affected version range and fix train
MEDIUM Real-world exploitability assessment
HIGH No current KEV / no public exploitation evidence
Why this verdict
- Downgraded from the scariest browser-bug narrative: the attack starts from the web, but it is not a no-click or no-auth server exploit; the victim must be on macOS Chrome and perform specific interaction.
- Exposure is broad but not universal: Chrome is common, yet this CVE only hits the Mac slice of that estate, immediately cutting reachable population in many enterprises.
- Attacker development cost is non-trivial: use-after-free in modern Chrome plus no public PoC and a restricted bug tracker means this is more likely to be used by capable actors than by every commodity kit.
- No exploitation signal: not KEV-listed, no vendor statement of in-the-wild abuse, and the supplied EPSS 0.0008 all argue against elevating this to emergency handling.
Why not higher?
It does not clear the bar for CRITICAL because the attack chain includes user interaction, Mac-only targeting, and likely exploit-reliability challenges in a hardened modern browser. If this were being exploited in the wild, or if a reliable public PoC dropped, that call would change fast.
Why not lower?
It should not fall to MEDIUM because the bug is still unauthenticated, internet-reachable through normal browsing, and the technical impact of successful memory corruption is severe. In an estate with a meaningful Mac population, a realistic phishing or watering-hole campaign could still turn this into credential or session theft.
05 · Compensating Control
What to do — in priority order.
- Enforce browser auto-update — Push managed Chrome update policy and verify Macs are converging on 149.0.7827.53+. For a HIGH verdict, use this as your primary compensating control and deploy it within 30 days if patch rollout is not already automatic.
- Tighten Safe Browsing and web filtering — Make sure Chrome enterprise policy, SWG, and DNS controls block newly registered or low-reputation lure domains that would host the exploit page. This reduces step 1 success and should be validated within 30 days.
- Restrict password-manager surface where feasible — If your environment uses a separate enterprise password manager, consider limiting Chrome's built-in password saving/filling behavior on high-risk groups to reduce reachable paths into the vulnerable component. This is a tradeoff control, not a universal recommendation, and if chosen it should be implemented within 30 days.
- Watch for Chrome crash spikes on Macs — Build a temporary hunt around repeated Chrome crashes, especially clusters tied to a small set of external domains or immediately followed by suspicious child processes, token theft, or session reuse. This detective control should be stood up within 30 days while patch adoption is verified.
What doesn't work
- Perimeter vulnerability scanning will not find this in any useful way; the vulnerable surface is a client browser, so unauthenticated network scanners provide near-zero value.
- MFA alone does not stop initial exploitation of the browser bug; it may reduce downstream account takeover but does nothing for the memory-corruption trigger.
- Generic antivirus signatures are unreliable against a fresh custom browser exploit chain, especially before commodity tooling appears.
06 · Verification
Crowdsourced verification payload.
Run this on the target Mac endpoint or through your EDR remote shell. Invoke it as bash chrome_cve_2026_10901_check.sh /Applications/Google\ Chrome.app; no root is required, but the script must be able to read the app bundle metadata.
#!/bin/bash
# chrome_cve_2026_10901_check.sh
# Check Google Chrome on macOS for CVE-2026-10901 exposure.
# Affected: Google Chrome on Mac prior to 149.0.7827.53
# Output: VULNERABLE / PATCHED / UNKNOWN
# Exit codes: 0=VULNERABLE, 1=PATCHED, 2=UNKNOWN
set -u
APP_PATH="${1:-/Applications/Google Chrome.app}"
MIN_SAFE="149.0.7827.53"
version_lt() {
# returns 0 if $1 < $2, else 1
local IFS=.
local i
local -a va=($1) vb=($2)
local len=${#va[@]}
if [ ${#vb[@]} -gt $len ]; then
len=${#vb[@]}
fi
for ((i=0; i<len; i++)); do
local a=${va[i]:-0}
local b=${vb[i]:-0}
if ((10#$a < 10#$b)); then
return 0
elif ((10#$a > 10#$b)); then
return 1
fi
done
return 1
}
if [[ "$(uname -s)" != "Darwin" ]]; then
echo "UNKNOWN: This check is intended for macOS (Darwin)."
exit 2
fi
if [[ ! -d "$APP_PATH" ]]; then
echo "UNKNOWN: Chrome app not found at $APP_PATH"
exit 2
fi
PLIST="$APP_PATH/Contents/Info.plist"
if [[ ! -f "$PLIST" ]]; then
echo "UNKNOWN: Info.plist not found at $PLIST"
exit 2
fi
VERSION=$(/usr/bin/defaults read "$APP_PATH/Contents/Info" CFBundleShortVersionString 2>/dev/null || true)
if [[ -z "$VERSION" ]]; then
VERSION=$(/usr/libexec/PlistBuddy -c 'Print :CFBundleShortVersionString' "$PLIST" 2>/dev/null || true)
fi
if [[ -z "$VERSION" ]]; then
echo "UNKNOWN: Could not determine Chrome version"
exit 2
fi
if version_lt "$VERSION" "$MIN_SAFE"; then
echo "VULNERABLE: Google Chrome version $VERSION is older than $MIN_SAFE"
exit 0
else
echo "PATCHED: Google Chrome version $VERSION is at or above $MIN_SAFE"
exit 1
fi
07 · Bottom Line
If you remember one thing.
TL;DR
Monday morning, pull a Mac-only Chrome version inventory, identify anything below 149.0.7827.53, and verify whether those systems are actually using Chrome as a primary browser. For this HIGH verdict, the noisgate mitigation SLA is ≤30 days for compensating controls such as enforced auto-update, web-filter tightening, and crash hunting, and the noisgate remediation SLA is ≤180 days for the actual vendor patch — but in practice, because this is a browser and the fix already exists, most enterprises should close it much sooner than the outer remediation window.
Sources
Peer Review
What defenders are saying.
Submit a review
attribution: handle + country only
0 flags selected · stored anonymously
Validation Results
Crowdsourced verification outputs.
Results submitted by users who ran the verification payload against their environment.