Use after free in Chromoting in Google Chrome on Windows prior to 149

CVE-2026-10978 is a use-after-free in Chrome's Chromoting component affecting Google Chrome on Windows before 149.0.7827.53. In plain English: if a victim on Windows processes attacker-controlled Chromoting / Chrome Remote Desktop-related network traffic, memory can be reused after release and turned into arbitrary code execution. The vendor text and the CVSS vector both imply no auth required but user interaction is required.

paragraph 2: Google's 8.8/HIGH baseline is technically defensible for a browser memory-corruption bug, but it overstates enterprise urgency for broad fleet patch triage. The key downward pressure is reach: this is Windows-only, tied to Chromoting rather than generic web rendering, and appears to need the victim to enter the relevant traffic path. With no KEV listing, no public PoC, and a very low EPSS, this looks more like a feature-scoped client RCE than a Monday-morning internet-fire drill.

Why this verdict

• Feature-scoped attack surface: start from Google's 8.8/HIGH, then adjust down because this is tied to Chromoting, not the ordinary page-rendering path that every Chrome user hits all day.
• User interaction compounds the friction: UI:R is already in the CVSS, but in real deployments it implies social or operational positioning to get a user into the relevant CRD/Chromoting flow.
• Reachable population is much smaller than 'all Chrome on Windows': many enterprises block or do not use Chrome Remote Desktop at all, which materially reduces exploitable exposure.
• Windows-only scope: this CVE's public description is specific to Windows, so mixed-platform fleets immediately shrink the patch universe.
• Threat intel is cold: no KEV, no public PoC found, and provided EPSS 0.0008 all push down from vendor baseline.

Why not higher?

There is no public evidence that attackers are exploiting this now, and the public description does not support treating it like a universal website-triggered Chrome zero-day. The combination of Chromoting-specific reachability, Windows-only scope, and required user interaction is too much friction for a HIGH or CRITICAL enterprise triage call.

Why not lower?

This is still a remote, no-privileges memory corruption bug in a massively deployed client. If the feature path is reachable in your environment, the end state is serious enough that it does not belong in backlog-hygiene LOW territory.

1. Disable Chrome Remote Desktop where you do not need it — Use Google's enterprise controls to turn off or restrict Chrome Remote Desktop / Chromoting for users and hosts that do not need it. For a MEDIUM verdict there is no mitigation SLA; use this as immediate exposure reduction while you work inside the 365-day remediation window.
2. Disable CRD firewall traversal — Set RemoteAccessHostFirewallTraversal to 0 on managed Windows systems if CRD must remain available only for LAN/VPN use. This cuts off broader internet-mediated host reachability and is a practical scoping control when business teams insist on keeping CRD.
3. Block CRD service URLs for non-admin populations — Block https://remotedesktop-pa.googleapis.com and, if appropriate, https://remotedesktop.google.com for user groups that should never use the feature. There is no noisgate mitigation SLA for MEDIUM; apply this where the business case is weak and keep patching inside the 365-day remediation deadline.
4. Prioritize high-risk user cohorts first — If you cannot patch the whole Windows fleet at once, focus policy restrictions and accelerated patching on help-desk, MSP, contractor, and admin workstations that are more likely to use remote-support tooling. Those users are the most plausible reachable population for this bug.

Run this on the target Windows endpoint or via your software deployment / EDR remote shell. Invoke it with powershell -ExecutionPolicy Bypass -File .\check-chrome-cve-2026-10978.ps1; standard user rights are usually enough to read file versions, but local admin helps if your tooling blocks access to machine-wide install paths.

# check-chrome-cve-2026-10978.ps1

# Purpose: Detect likely exposure to CVE-2026-10978 on Windows by checking Chrome version

# Output: VULNERABLE / PATCHED / UNKNOWN

# Exit codes: 0=PATCHED, 1=VULNERABLE, 2=UNKNOWN


$ErrorActionPreference = 'Stop'

function Get-VersionObject {
    param([string]$VersionString)
    try { return [version]$VersionString } catch { return $null }
}

function Get-ChromeCandidates {
    $paths = @(
        "$env:ProgramFiles\Google\Chrome\Application\chrome.exe",
        "$env:ProgramFiles(x86)\Google\Chrome\Application\chrome.exe",
        "$env:LOCALAPPDATA\Google\Chrome\Application\chrome.exe"
    )
    $found = @()
    foreach ($p in $paths) {
        if ($p -and (Test-Path $p)) {
            try {
                $ver = (Get-Item $p).VersionInfo.ProductVersion
                if (-not [string]::IsNullOrWhiteSpace($ver)) {
                    $found += [pscustomobject]@{ Path = $p; Version = $ver }
                }
            } catch {}
        }
    }
    return $found
}

function Test-CRDHostInstalled {
    $hostPaths = @(
        "$env:ProgramFiles(x86)\Google\Chrome Remote Desktop\CurrentVersion\remoting_host.exe",
        "$env:ProgramFiles\Google\Chrome Remote Desktop\CurrentVersion\remoting_host.exe"
    )
    foreach ($hp in $hostPaths) {
        if (Test-Path $hp) { return $true }
    }
    return $false
}

$fixedFloor = Get-VersionObject '149.0.7827.53'
$candidates = Get-ChromeCandidates
$crdInstalled = Test-CRDHostInstalled

if (-not $candidates -or $candidates.Count -eq 0) {
    Write-Output 'UNKNOWN - Google Chrome not found in standard install paths.'
    exit 2
}

$vulnerable = $false
$unknownSeen = $false

foreach ($c in $candidates) {
    $v = Get-VersionObject $c.Version
    if ($null -eq $v) {
        Write-Output ("UNKNOWN - Could not parse version at {0}: {1}" -f $c.Path, $c.Version)
        $unknownSeen = $true
        continue
    }

    if ($v -lt $fixedFloor) {
        $suffix = if ($crdInstalled) { ' Chrome Remote Desktop host appears installed.' } else { ' Chrome Remote Desktop host not detected in standard paths.' }
        Write-Output ("VULNERABLE - Chrome version {0} at {1} is older than 149.0.7827.53.{2}" -f $v, $c.Path, $suffix)
        $vulnerable = $true
    } else {
        Write-Output ("PATCHED-CANDIDATE - Chrome version {0} at {1} meets or exceeds 149.0.7827.53." -f $v, $c.Path)
    }
}

if ($vulnerable) {
    exit 1
}

if ($unknownSeen) {
    Write-Output 'UNKNOWN - At least one Chrome install could not be evaluated, and none were confirmed vulnerable.'
    exit 2
}

Write-Output 'PATCHED - All detected Chrome installs meet or exceed 149.0.7827.53.'
exit 0

Sources

1. Google Chrome Releases - Stable Channel Update for Desktop (June 2, 2026)
2. NVD detail page for CVE-2026-10978
3. Google Chrome Enterprise - Control use of Chrome Remote Desktop
4. Google Chrome Enterprise - Network guide for Chrome Remote Desktop
5. Google Chrome Help - Access another computer with Chrome Remote Desktop
6. CISA Known Exploited Vulnerabilities Catalog
7. FIRST EPSS API documentation
8. VulDB entry for CVE-2026-10978