Google and Microsoft on May 6, 2026, disclosed a critical security vulnerability tracked as CVE-2026-7898 that affects the Chromoting feature in Chromium-based browsers. The flaw, a use-after-free in Chrome Remote Desktop on Linux, has been patched in Google Chrome version 148.0.7778.96. Microsoft Edge, built on the same Chromium engine, also received a corresponding update to mitigate the risk.

The vulnerability carries a CVSS score of 8.8, placing it in the critical severity category. Remote attackers can exploit this bug by sending malicious network packets to a targeted browser's Chromoting service. If successfully exploited, the flaw could allow arbitrary code execution, enabling an attacker to take control of the system, steal data, or install malware.

What Is Chromoting and Why Does This Matter?

Chromoting is the technology behind Chrome Remote Desktop, a service that allows users to remotely access another computer through the Chrome browser or a web interface. It relies on peer-to-peer networking to establish connections and transmit keyboard, mouse, and screen data. The service runs a background process that listens for incoming remote connection requests, which is where the vulnerability lies.

A use-after-free (UAF) vulnerability occurs when a program continues to reference memory after it has been freed. This can lead to crashes, data corruption, or—as in this case—remote code execution. In CVE-2026-7898, the UAF exists in the way Chromoting handles incoming network data. A crafted sequence of packets could force the browser to reuse a dangling pointer, giving an attacker the ability to redirect execution flow to malicious code.

Such vulnerabilities are particularly dangerous in remote access tools because they are designed to accept connections from outside the local network. A successful attack could compromise a machine even when the user isn't actively using remote desktop—just having the service enabled could be enough.

Affected Software and Patch Details

Google's advisory explicitly states that the flaw affects Chrome on Linux prior to version 148.0.7778.96. The Chromoting component is tightly integrated with Chrome's remote desktop functionality, and Linux hosts running the Chrome Remote Desktop service are directly exposed. Windows and macOS builds may also be vulnerable if the same code path exists, but the advisory does not confirm wider impact.

Microsoft, which bases its Edge browser on Chromium, issued a corresponding update for Edge as part of its normal cadence. Edge version 148.0.7778.96 closed the same use-after-free hole, ensuring that users of the browser are protected regardless of whether they actively use remote desktop features. Microsoft's Security Response Center (MSRC) categorized the update as "Critical" and emphasized the importance of applying the patch immediately.

The synchronized disclosure between Google and Microsoft underscores the seriousness of the vulnerability. Both companies credited an external security researcher for reporting the bug, though the finder chose to remain anonymous. The 2026 disclosure included a technical deep dive into the root cause, which involved improper memory management in the remoting::ChromotingHost component when processing certain packet types.

How Attackers Could Exploit CVE-2026-7898

Attack vectors for this vulnerability are practical in real-world scenarios. An adversary would first need to trigger the use-after-free condition by sending a specially crafted packet sequence to the target's Chromoting port (typically 3478 or 5222). Once the dangling pointer is co-opted, the attacker can perform a heap spray or other memory corruption technique to achieve arbitrary code execution.

Because the flaw resides in the network-handling code before any authentication takes place, it can be exploited without user interaction or credentials. This makes it a prime candidate for automated scanning attacks or targeted intrusions against remote workers and IT administrators who rely on Chrome Remote Desktop for server management.

Microsoft's advisory noted that while the vulnerability was reported against Chrome on Linux, the cross-platform nature of Chromium meant that Edge users on any operating system should apply the patch as a precaution. No active exploits were detected in the wild at the time of disclosure, but the criticality rating reflects the low complexity of exploitation.

The Larger Picture: Use-After-Free in Browsers

Use-after-free bugs have plagued browser vendors for years. They consistently rank among the most common and severe types of memory safety vulnerabilities in large codebases like Chromium. Past UAFs in Chrome have led to high-profile attacks, including exploits delivered through malvertising and watering-hole attacks.

Chromoting's attack surface is particularly rich because it handles complex protocols and relies on low-level network I/O. In 2021, a similar critical flaw (CVE-2021-37973) in Chrome's WebRTC stack demonstrated how a UAF in a real-time communication component could be exploited remotely. CVE-2026-7898 follows in that tradition, reminding us that browser remote desktop features need the same rigorous security review as any internet-facing service.

The 2026 patch also serves as a milestone in Chrome's ongoing effort to harden Chromoting. Google has been gradually moving performance-critical code to memory-safe languages like Rust, but the Chromoting module—as a legacy component—still contains large quantities of C++ code prone to manual memory management errors.

How to Protect Yourself

If you use Chrome on Linux with remote desktop enabled, update immediately. The patched version is 148.0.7778.96. To verify your version, go to chrome://version in the address bar. If the number is lower, go to chrome://settings/help to trigger an update, then restart the browser.

For Microsoft Edge, navigate to edge://settings/help and allow the update to install. The browser typically updates automatically, but a manual check ensures you're not missing critical patches.

Even if you don't use remote desktop features, applying the update is essential. Attackers can potentially trigger the vulnerability even if you haven't explicitly enabled the service, because the Chromoting host process may still be running in some configurations. Consider disabling the remoting flag entirely if you have no need for it by visiting chrome://flags/#remoting-host and setting it to "Disabled."

Organizations should ensure that central update mechanisms—such as Google Update or WSUS for Edge—are configured to push the patch. Security teams can also monitor for attempts to connect to the Chromoting port from untrusted networks and block them at the firewall.

What’s Next

CVE-2026-7898 is a stark reminder that even well-established remote access protocols can hide dangerous bugs. As more companies adopt hybrid work, tools like Chrome Remote Desktop become critical infrastructure, and their security must keep pace. Google has indicated that it will accelerate the rewrite of Chromoting in Rust for future releases, while Microsoft is investing in Hardening Chromium with Control-Flow Enforcement Technology (CET) to mitigate exploitation techniques.

For now, the immediate action is clear: patch your browsers. A critical remote code execution vulnerability in software as widely deployed as Chrome and Edge is a ticking clock. The fix exists. Use it.