CVE-2026-12445: Google Chrome Use-After-Free Vulnerability

CVE-2026-12445 Overview

CVE-2026-12445 is a use-after-free vulnerability [CWE-416] in the Extensions component of Google Chrome prior to version 149.0.7827.155. An attacker who convinces a user to install a malicious extension can trigger heap corruption through a crafted Chrome Extension. The flaw affects Chrome installations on Windows, macOS, and Linux. Google rated the underlying Chromium issue as High severity and shipped a fix in the Stable channel update.

Critical Impact
Successful exploitation can lead to heap corruption, enabling arbitrary code execution within the browser process and full compromise of user data handled by Chrome.

Affected Products

Google Chrome versions prior to 149.0.7827.155
Chrome on Microsoft Windows
Chrome on Apple macOS and Linux distributions

Discovery Timeline

2026-06-17 - CVE-2026-12445 published to NVD
2026-06-18 - Last updated in NVD database

Technical Details for CVE-2026-12445

Vulnerability Analysis

The vulnerability resides in the Extensions subsystem of the Chromium-based Chrome browser. It is classified as a use-after-free [CWE-416], a memory corruption class in which freed heap memory is referenced again by the program. When the Extensions component releases an object but retains a dangling pointer, subsequent operations on that pointer manipulate memory the allocator may have reused for unrelated data.

A crafted extension can force this object lifetime mismatch during Chrome's handling of extension APIs. The attacker uses the freed slot to plant attacker-controlled data, then triggers the dangling reference. The result is heap corruption inside the renderer or extension process, which can be escalated to arbitrary code execution.

Exploitation requires user interaction. The victim must be persuaded to install a malicious extension, raising the practical attack complexity. Once installed, however, extensions run with elevated privileges relative to ordinary web content, broadening the impact surface.

Root Cause

The root cause is improper object lifetime management within the Extensions code path. A reference to an extension-related object remains valid in code paths executed after the object is freed. Chromium's tracking entry 513199795 covers the internal fix.

Attack Vector

The attack vector is network-based but gated by user action. An attacker hosts a malicious extension and uses social engineering, sideloading instructions, or supply-chain compromise of an existing extension to convince a user to install it. The crafted extension then issues the API sequence that triggers the use-after-free.

The vulnerability is described in prose because no public proof-of-concept code or exploit has been released. Refer to the Chromium Issue Tracker Entry and Google Chrome Releases blog for vendor details.

Detection Methods for CVE-2026-12445

Indicators of Compromise

Installation of Chrome extensions from outside the Chrome Web Store, particularly via developer mode or --load-extension command-line flags.
Unexpected Chrome renderer or extension process crashes with heap corruption signatures shortly after extension installation.
Extensions requesting broad permissions such as <all_urls>, tabs, webRequest, or nativeMessaging without clear business justification.

Detection Strategies

Inventory installed Chrome extensions across endpoints and compare extension IDs against an approved allowlist.
Monitor the chrome.exe --version output and EDR telemetry to identify hosts still running Chrome builds below 149.0.7827.155.
Hunt for child processes spawned by chrome.exe that are inconsistent with normal browser behavior, such as shell interpreters or scripting hosts.

Monitoring Recommendations

Forward Chrome crash reports and extension installation events to a centralized SIEM or data lake for correlation.
Track changes to the Chrome Preferences and Secure Preferences files where extension state is stored.
Alert on registry keys such as HKLM\Software\Google\Chrome\Extensions that register force-installed extensions outside policy.

How to Mitigate CVE-2026-12445

Immediate Actions Required

Update Google Chrome to version 149.0.7827.155 or later on all Windows, macOS, and Linux endpoints.
Restart the browser after the update so the patched binary is loaded into memory.
Audit installed extensions and remove any that are unsigned, sideloaded, or sourced from outside the Chrome Web Store.

Patch Information

Google released the fix in the Stable channel update documented at the Google Chrome Releases blog. The patched version is 149.0.7827.155. Enterprises managing Chrome through Group Policy or Chrome Browser Cloud Management should confirm that the TargetVersionPrefix policy does not pin clients to a vulnerable build.

Workarounds

Enforce an extension allowlist with the ExtensionInstallAllowlist and ExtensionInstallBlocklist enterprise policies.
Disable developer mode for extensions using the DeveloperToolsAvailability policy to prevent sideloading.
Restrict extension installation sources to the Chrome Web Store via the ExtensionInstallSources policy.

bash

# Configuration example: Chrome enterprise policy to restrict extensions (Linux JSON)
{
  "ExtensionInstallBlocklist": ["*"],
  "ExtensionInstallAllowlist": [
    "<approved-extension-id-1>",
    "<approved-extension-id-2>"
  ],
  "ExtensionInstallSources": ["https://clients2.google.com/service/update2/crx"],
  "DeveloperToolsAvailability": 2
}