ZeroPath at Black Hat USA 2026

Quick Look: CVE-2026-9111, a Critical Use After Free in Google Chrome WebRTC on Linux

A brief summary of CVE-2026-9111, a critical use after free vulnerability in Google Chrome's WebRTC component on Linux that enables remote code execution via a crafted HTML page.

CVE Analysis

5 min read

ZeroPath CVE Analysis
ZeroPath CVE Analysis

2026-05-20

Quick Look: CVE-2026-9111, a Critical Use After Free in Google Chrome WebRTC on Linux
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

A critical use after free in Google Chrome's WebRTC component on Linux opens the door to remote code execution, requiring nothing more than a visit to a malicious webpage. With Chrome commanding somewhere between 56% and 69% of the global browser market depending on the source, any remotely exploitable flaw in its codebase carries significant weight for defenders managing Linux workstations and developer environments.

Technical Information

CVE-2026-9111 is classified under CWE-416 (Use After Free) and resides in the WebRTC subsystem of Google Chrome. WebRTC provides real time communication capabilities, including video and voice, directly within the browser. It is a complex native code component that handles media streams, peer connections, and data channels, making it a historically rich attack surface.

Root Cause

A use after free condition occurs when an application continues to use a pointer after the memory it references has been freed. This creates a dangling pointer. If the freed memory region is subsequently reallocated for a different object or buffer, any operations through the original pointer now interact with attacker influenced data. By carefully manipulating heap layout, an attacker can overwrite critical structures such as vtable pointers or function pointers, redirecting execution flow and achieving arbitrary code execution within the renderer process.

The specific bug details remain restricted in the Chromium issue tracker (issue 504551032). Google's standard practice is to withhold technical specifics until a majority of users have received the update, preventing threat actors from reverse engineering the patch before broad deployment.

Attack Flow

  1. The attacker constructs a malicious HTML page that exercises the vulnerable WebRTC code path on Linux.
  2. The victim, running a vulnerable version of Chrome on Linux (prior to 148.0.7778.179), navigates to the attacker controlled page. This could be delivered via phishing, malvertising, or a compromised legitimate site.
  3. The crafted page triggers the use after free condition in the WebRTC component. No additional user interaction beyond the initial page load is required.
  4. The attacker leverages the dangling pointer to corrupt memory and gain arbitrary code execution within the Chrome process.

The CVSS score of 8.8 and Chromium's own Critical severity rating reflect the low barrier to exploitation (network accessible, no privileges required, no user interaction beyond visiting the page) and the high impact (arbitrary code execution).

Version Discrepancy

Administrators should be aware of a discrepancy between official sources regarding the fixed version on Linux. The CVE record explicitly states that Linux versions prior to 148.0.7778.179 are vulnerable. However, the Chrome Releases blog entry references Linux receiving version 148.0.7778.178. The safest course of action is to target the 179 build as the minimum safe version on Linux.

PlatformChrome Releases Blog VersionCVE Record Safe VersionResolution Action
Windows148.0.7778.178 or 179Not specifiedMonitor rollout
macOS148.0.7778.178 or 179Not specifiedMonitor rollout
Linux148.0.7778.178148.0.7778.179Target 148.0.7778.179

Affected Systems and Versions

The vulnerability affects Google Chrome on Linux prior to version 148.0.7778.179. The CVE record and NVD entry both specify this version boundary explicitly. While the Chrome Releases blog also lists updates for Windows and macOS in the same stable channel release, the CVE description specifically calls out Linux as the affected platform.

Organizations should verify the exact Chrome version deployed across their Linux fleet. The chrome://version page or command line flag google-chrome --version can be used to confirm the running build number.

Vendor Security History

Google maintains a mature vulnerability management program for Chrome. The Vulnerability Rewards Program incentivizes external researchers to find and responsibly disclose security flaws, and the history of fixed security bugs is publicly documented through Stable Channel updates on the Chrome Releases blog. The May 20, 2026 update that addressed CVE-2026-9111 included 16 security fixes in total, which is consistent with Google's established cadence of bundling multiple security corrections into each stable channel release.

References

Detect & fix
what others miss

Works with
  • GitHub
  • GitLab
  • Bitbucket
  • Azure DevOps Services
  • Jira
  • Linear
  • Slack
  • Security Compass
Security magnifying glass visualization