CVE-2026-12447: Google Chrome Buffer Overflow Vulnerability

CVE-2026-12447 Overview

CVE-2026-12447 is a heap buffer overflow vulnerability in the Web Real-Time Communication (WebRTC) component of Google Chrome. The flaw affects Chrome versions prior to 149.0.7827.155 across Windows, macOS, and Linux platforms. A remote attacker can execute arbitrary code inside the Chrome sandbox by tricking a user into visiting a crafted HTML page. Google's Chromium project rates the security severity as High, and the issue is tracked under CWE-122 (Heap-based Buffer Overflow).

Critical Impact
Remote attackers can achieve arbitrary code execution inside the Chrome renderer sandbox through a single malicious web page, providing a foothold for further sandbox escape chains.

Affected Products

Google Chrome versions prior to 149.0.7827.155
Chrome on Microsoft Windows
Chrome on Apple macOS and Linux distributions

Discovery Timeline

2026-06-17 - CVE-2026-12447 published to the National Vulnerability Database
2026-06-18 - Last updated in NVD database

Technical Details for CVE-2026-12447

Vulnerability Analysis

The vulnerability resides in Chrome's WebRTC implementation, the browser subsystem that handles real-time audio, video, and data channel communication between peers. WebRTC processes untrusted media streams, SDP (Session Description Protocol) offers, and ICE candidates supplied by remote endpoints or attacker-controlled JavaScript. A heap buffer overflow in this code path allows an attacker to write beyond the bounds of an allocated heap buffer.

Successful exploitation enables arbitrary code execution inside the Chrome renderer sandbox. The attack requires user interaction, meaning a victim must visit a crafted HTML page or load attacker-controlled content within an existing tab. While the Chrome sandbox limits direct impact on the host operating system, attackers commonly chain renderer-side memory corruption bugs with sandbox escape primitives to achieve full system compromise.

Root Cause

The root cause is improper bounds checking in the WebRTC media or signaling code, classified as [CWE-122] Heap-based Buffer Overflow. When attacker-controlled data is processed, the affected routine writes past the end of a heap allocation, corrupting adjacent objects and function pointers that the renderer later dereferences.

Attack Vector

Exploitation is network-based and requires the victim to load a malicious HTML page. The attacker hosts a page that initiates a WebRTC session and delivers crafted media or signaling data designed to trigger the overflow. No authentication is required, and the attack can be delivered through phishing, malvertising, or compromised legitimate websites.

No public proof-of-concept exploit code is currently available, and the issue is not listed in the CISA Known Exploited Vulnerabilities catalog. Technical details are restricted in the Chromium Issue Tracker Report pending broad patch adoption.

Detection Methods for CVE-2026-12447

Indicators of Compromise

Chrome renderer process crashes with heap corruption signatures (SIGSEGV, STATUS_HEAP_CORRUPTION) coinciding with WebRTC session activity.
Unexpected child processes spawned by chrome.exe or the renderer helper following navigation to untrusted pages.
Outbound connections to unfamiliar STUN, TURN, or WebSocket endpoints from browser processes.

Detection Strategies

Inventory installed Chrome versions across managed endpoints and flag any build below 149.0.7827.155.
Hunt for crash dumps from chrome.exe containing WebRTC modules (webrtc.dll, libwebrtc) in stack traces.
Correlate browser process anomalies with web proxy logs to identify pages that triggered renderer crashes.

Monitoring Recommendations

Enable endpoint telemetry on browser process trees, including command-line arguments and DLL load events.
Monitor for post-exploitation behaviors such as suspicious file writes under user profile directories or script interpreter launches from Chrome.
Forward browser crash and update telemetry to a central SIEM for retrospective threat hunting.

How to Mitigate CVE-2026-12447

Immediate Actions Required

Update Google Chrome to version 149.0.7827.155 or later on all Windows, macOS, and Linux endpoints.
Restart Chrome after the update to ensure the patched binaries are loaded into memory.
Audit Chromium-based browsers (Edge, Brave, Opera, Vivaldi) and apply vendor updates that incorporate the WebRTC fix.

Patch Information

Google released the fix in the Chrome Stable channel as documented in the Google Chrome Desktop Update. Enterprise administrators should deploy the update through Chrome Browser Cloud Management, Google Update for Business, or platform package managers. Verify rollout by checking chrome://version reports against the fixed build number.

Workarounds

Disable WebRTC in managed Chrome deployments using the WebRtcAllowLegacyTLSProtocols and related enterprise policies where business workflows permit.
Restrict access to untrusted websites through web filtering or browser isolation until patching is complete.
Apply the principle of least privilege to user accounts so that any sandbox escape has limited downstream impact.

bash

# Verify Chrome version on Linux endpoints
google-chrome --version

# Example enterprise policy snippet (Windows registry) to enforce auto-update
reg add "HKLM\SOFTWARE\Policies\Google\Update" /v UpdateDefault /t REG_DWORD /d 1 /f
reg add "HKLM\SOFTWARE\Policies\Google\Update" /v AutoUpdateCheckPeriodMinutes /t REG_DWORD /d 60 /f