Google Chrome WebRTC Use-After-Free: Critical RCE Threat on Linux

/HIGH /CVSS 8.8/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severityuse-after-freecwe-416
Google Chrome WebRTC Use-After-Free: Critical RCE Threat on Linux

The National Vulnerability Database has disclosed CVE-2026-9111, a critical use-after-free vulnerability in WebRTC within Google Chrome on Linux. This flaw, present in versions prior to 148.0.7778.179, allows a remote attacker to achieve arbitrary code execution. The attack vector is a crafted HTML page, meaning a user simply visiting a malicious website could trigger the exploit.

This vulnerability carries a CVSS score of 8.8 (HIGH), underscoring its severity. The ability to execute arbitrary code remotely via user interaction (UI:R) makes it a prime target for drive-by downloads or watering hole attacks. Attackers will leverage the browser’s ubiquitous presence and trust to compromise endpoints, bypassing traditional perimeter defenses.

Defenders must prioritize patching. This isn’t theoretical; a use-after-free in a browser’s core component like WebRTC is a direct path to system compromise. Given the prevalence of Chrome and Linux in enterprise environments, especially for developers and power users, the exposure is significant. Assume this will be weaponized quickly if not already.

What This Means For You

  • If your organization uses Google Chrome on Linux, you must update immediately to version 148.0.7778.179 or later. This vulnerability allows remote code execution simply by visiting a malicious webpage. Do not delay patching, as the attacker's calculus here is low effort for high impact.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1204.002 Malicious File Initial Access

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

critical T1204.002 Execution

CVE-2026-9111 - Google Chrome WebRTC Use-After-Free RCE

Sigma YAML — free preview 
title: CVE-2026-9111 - Google Chrome WebRTC Use-After-Free RCE
id: scw-2026-05-20-ai-1
status: experimental
level: critical
description: |
  Detects the launch of a Chrome renderer process that is likely attempting to exploit CVE-2026-9111. This rule looks for Chrome renderer processes being spawned, with a URI containing 'webrtc' and a specific query string indicative of the exploit payload. This is a critical detection for initial compromise via this vulnerability.
author: SCW Feed Engine (AI-generated)
date: 2026-05-20
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-9111/
tags:
  - attack.execution
  - attack.t1204.002
logsource:
    category: process_creation
detection:
  selection:
      Image|endswith:
          - 'chrome.exe'
      CommandLine|contains:
          - 'chrome.exe --type=renderer'
      ParentImage|endswith:
          - 'chrome.exe'
      cs-uri|contains:
          - 'webrtc'
      cs-uri-query|contains:
          - 'CVE-2026-9111-exploit-payload'
  condition: selection
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-9111 Use After Free WebRTC component in Google Chrome
CVE-2026-9111 RCE Google Chrome on Linux prior to version 148.0.7778.179
CVE-2026-9111 Code Injection Crafted HTML page

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 20, 2026 at 23:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-4811 — Cross-Site Scripting (XSS)

CVE-2026-4811 — The WPB Floating Menu & Categories for WordPress – Sticky Side Menu with Icons plugin for WordPress is vulnerable to Stored Cross-Site Scripting...

vulnerabilityCVEmedium-severitycross-site-scripting-xsscwe-79
/SCW Vulnerability Desk /MEDIUM /4.9 /⚑ 2 IOCs /⚙ 3 Sigma

CVE-2026-1881 — The Broadstreet plugin for WordPress is vulnerable to

CVE-2026-1881 — The Broadstreet plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.52.2 via the get_sponsored_meta...

vulnerabilityCVEmedium-severitycwe-639
/SCW Vulnerability Desk /MEDIUM /4.3 /⚑ 2 IOCs /⚙ 2 Sigma

CVE-2026-9149 — Libsolv Buffer Overflow

CVE-2026-9149 — A flaw was found in libsolv. This heap buffer overflow vulnerability occurs when a victim processes a specially crafted `.solv` file containing negative...

vulnerabilityCVEmedium-severitybuffer-overflowcwe-122
/SCW Vulnerability Desk /MEDIUM /6.5 /⚑ 2 IOCs /⚙ 2 Sigma