CVE-2026-12444 Overview
CVE-2026-12444 is an out-of-bounds read vulnerability [CWE-125] in the Chromoting component of Google Chrome on Windows. The flaw affects Chrome versions prior to 149.0.7827.155. A local attacker can deliver a malicious file that triggers the out-of-bounds read and obtain potentially sensitive information from Chrome process memory. The Chromium project rated the security severity as High, while NVD assigned a medium CVSS score reflecting the local attack vector and user interaction requirement. Google addressed the issue in the stable channel desktop update published through the Chrome Releases blog.
Critical Impact
Local attackers can read sensitive process memory from the Chrome Chromoting (remote desktop) component by convincing a user to open a malicious file.
Affected Products
- Google Chrome on Windows prior to 149.0.7827.155
- Google Chrome distributions referencing Chromoting on macOS
- Google Chrome distributions referencing Chromoting on Linux
Discovery Timeline
- 2026-06-17 - CVE-2026-12444 published to NVD
- 2026-06-18 - Last updated in NVD database
Technical Details for CVE-2026-12444
Vulnerability Analysis
The vulnerability resides in Chromoting, the component that powers Chrome Remote Desktop functionality. An out-of-bounds read occurs when the component processes a malicious file and accesses memory outside the bounds of an allocated buffer. The read returns adjacent memory contents to attacker-controlled processing logic, enabling information disclosure from the Chrome process address space.
Exploitation requires local access and user interaction, consistent with the CVSS vector AV:L/AC:L/PR:N/UI:R. The attacker must convince the user to open a crafted file handled by Chromoting. Successful exploitation impacts confidentiality only; integrity and availability are not affected. Leaked memory may include browser session data, tokens, or pointers useful for chaining with other Chrome flaws.
Root Cause
The defect is an [CWE-125] Out-of-Bounds Read, where Chromoting code reads past the end of a buffer while parsing untrusted input from a malicious file. Missing or incorrect bounds checks on indexes or length fields allow the read primitive. Refer to the Chromium Issue Tracker Entry for upstream details.
Attack Vector
The attack vector is local. An attacker stages a malicious file that Chromoting parses, then induces the victim to open it through Chrome. Chromoting performs the unsafe read while processing structured fields in the file. The vulnerability does not, by itself, provide code execution. It can serve as an information disclosure primitive that supports follow-on exploitation when combined with a separate memory corruption bug.
No public proof-of-concept exploit is available, and the issue is not listed in the CISA Known Exploited Vulnerabilities catalog. The EPSS probability is 0.133%.
Detection Methods for CVE-2026-12444
Indicators of Compromise
- Chrome processes (chrome.exe) crashing or generating unexpected exception telemetry while handling files associated with Chromoting or Chrome Remote Desktop.
- Endpoints running Chrome builds older than 149.0.7827.155 after the patch release date.
- Unexpected file open events targeting Chromoting handlers initiated from email attachments, downloads, or removable media.
Detection Strategies
- Inventory installed Chrome versions across Windows, macOS, and Linux endpoints and flag instances below 149.0.7827.155.
- Correlate browser process crash dumps with recent file open events to identify possible exploitation attempts against Chromoting parsing routines.
- Hunt for anomalous child process activity or memory access patterns originating from chrome.exe after opening untrusted files.
Monitoring Recommendations
- Enable Chrome browser telemetry forwarding to a central log platform and alert on repeated renderer or utility process crashes.
- Monitor enterprise patch compliance dashboards for Chrome update lag exceeding 72 hours after vendor release.
- Track delivery of suspicious file types to users who have Chrome Remote Desktop or Chromoting features enabled.
How to Mitigate CVE-2026-12444
Immediate Actions Required
- Update Google Chrome to version 149.0.7827.155 or later on all Windows, macOS, and Linux endpoints.
- Verify that auto-update is enabled and functioning; force a restart of the browser to apply pending updates.
- Restrict execution of untrusted files and educate users to avoid opening files from unknown sources that invoke Chrome Remote Desktop workflows.
Patch Information
Google released the fix in the stable channel desktop update referenced in the Google Chrome Update Release. Administrators should deploy Chrome 149.0.7827.155 or newer through enterprise update mechanisms such as Group Policy, Microsoft Intune, Jamf, or package managers.
Workarounds
- Disable Chrome Remote Desktop and the Chromoting host service on systems that do not require remote desktop functionality.
- Apply application control policies to block execution of file types known to be processed by Chromoting from untrusted locations.
- Use enterprise browser policies to limit which users can install or run remote desktop extensions until patching is complete.
# Configuration example: enforce minimum Chrome version via Group Policy on Windows
# Registry path managed by Chrome ADMX templates
reg add "HKLM\Software\Policies\Google\Chrome" /v TargetVersionPrefix /t REG_SZ /d "149.0.7827.155" /f
# Disable Chrome Remote Desktop host on Windows if not required
sc config chromoting stop= disabled
sc stop chromoting
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
