Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-12461

CVE-2026-12461: Google Chrome Information Disclosure Flaw

CVE-2026-12461 is an out of bounds read flaw in Google Chrome's WebRTC on Windows that enables remote attackers to access sensitive process memory. This article covers technical details, affected versions, and mitigations.

Published:

CVE-2026-12461 Overview

CVE-2026-12461 is an out-of-bounds read vulnerability [CWE-125] in the WebRTC component of Google Chrome on Windows. The flaw affects Chrome versions prior to 149.0.7827.155. A remote attacker can exploit this issue by serving a crafted HTML page to a victim, leveraging the read primitive to disclose data from the browser process memory. Google classified the underlying Chromium security severity as High, while NVD scored the CVE at 6.5 (Medium) under CVSS 3.1. User interaction is required, since the victim must visit attacker-controlled content for exploitation to succeed.

Critical Impact

Remote attackers can read sensitive data from Chrome process memory by tricking users into loading a crafted HTML page that targets the WebRTC stack.

Affected Products

  • Google Chrome on Windows prior to 149.0.7827.155
  • Microsoft Windows hosts running vulnerable Chrome builds
  • Chromium-based deployments embedding the affected WebRTC implementation

Discovery Timeline

  • 2026-06-17 - CVE-2026-12461 published to NVD
  • 2026-06-18 - Last updated in NVD database

Technical Details for CVE-2026-12461

Vulnerability Analysis

The vulnerability resides in Chrome's WebRTC implementation, which handles real-time audio, video, and data channel communication in the browser. WebRTC parses untrusted media and signaling payloads, making any bounds-checking mistake reachable from web content. In this case, code paths within WebRTC read beyond the end of an allocated buffer, returning adjacent process memory to attacker-controlled logic.

Because the read occurs inside the Chrome renderer or related process context, leaked bytes can include pointers, cryptographic material, cached credentials, or fragments of previously loaded pages. Attackers commonly chain such information disclosure flaws with memory corruption bugs to defeat Address Space Layout Randomization (ASLR) and achieve reliable code execution. The issue impacts confidentiality only and does not directly modify state or crash the browser.

Root Cause

The root cause is improper validation of buffer boundaries during WebRTC data processing, classified as CWE-125 (Out-of-bounds Read). The component reads from memory using an index or length derived from attacker-supplied input without enforcing the actual size of the underlying allocation.

Attack Vector

Exploitation is network-based and requires user interaction. The victim must load attacker-controlled HTML that initiates a WebRTC session or feeds crafted data into the WebRTC parsing routines. No authentication or privileges are required on the target system. Refer to the Chromium Issue Tracker Entry for technical context.

No public proof-of-concept exploit is available at the time of writing, and the EPSS probability remains low.

Detection Methods for CVE-2026-12461

Indicators of Compromise

  • Chrome processes establishing unexpected WebRTC peer connections to unfamiliar STUN/TURN endpoints shortly after visiting unknown URLs.
  • Browser telemetry showing Chrome versions older than 149.0.7827.155 on Windows endpoints.
  • HTML pages from low-reputation domains that invoke RTCPeerConnection immediately on load without user-driven media interaction.

Detection Strategies

  • Inventory installed Chrome versions across Windows fleets and flag any build below 149.0.7827.155.
  • Inspect proxy and DNS logs for connections to suspicious WebRTC signaling infrastructure originating from end-user browsers.
  • Correlate browser crash reports and Windows Error Reporting events involving chrome.exe with recent navigation history.

Monitoring Recommendations

  • Enable browser version reporting through enterprise management tooling such as Chrome Browser Cloud Management.
  • Forward endpoint process and network telemetry to a central data lake for retroactive hunting once new indicators emerge.
  • Track new entries on the Google Chrome Update Announcement page to identify additional related fixes.

How to Mitigate CVE-2026-12461

Immediate Actions Required

  • Update Google Chrome on all Windows endpoints to version 149.0.7827.155 or later.
  • Restart Chrome after the update so the patched binaries are loaded into memory.
  • Validate the deployed version using chrome://version or centralized inventory tooling.

Patch Information

Google addressed CVE-2026-12461 in the Stable channel desktop release announced on the Google Chrome Update Announcement. Windows users should install Chrome 149.0.7827.155 or any later Stable build. Chromium-derived browsers should pick up the upstream WebRTC fix referenced in the Chromium Issue Tracker Entry.

Workarounds

  • Enforce automatic Chrome updates through group policy to prevent users from delaying installation.
  • Restrict WebRTC usage on managed browsers using the WebRtcAllowLegacyTLSProtocols and related enterprise policies where business processes permit.
  • Block access to untrusted websites at the secure web gateway until patch coverage is verified.
bash
# Configuration example: enforce minimum Chrome version via Windows registry policy
reg add "HKLM\SOFTWARE\Policies\Google\Chrome" /v TargetVersionPrefix /t REG_SZ /d "149.0.7827.155" /f
reg add "HKLM\SOFTWARE\Policies\Google\Chrome" /v RelaunchNotification /t REG_DWORD /d 2 /f

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne