Google Fixes High-Severity Chrome CVE-2026-11664; Windows Users Must Update to 149.0.7827.103

Google released Chrome 149.0.7827.103 for Windows, macOS, and Linux to fix a high-severity use-after-free vulnerability in the Payments component, tracked as CVE-2026-11664. The flaw, disclosed on June 8, 2026, affects earlier versions of the Chrome 149 branch, and Windows users are urged to update within 24 hours to reduce risk of potential remote exploitation.

{
"title": "Google Fixes High-Severity Chrome CVE-2026-11664; Windows Users Must Update to 149.0.7827.103",
"content": "Google has shipped Chrome 149.0.7827.103 for Windows, macOS, and Linux, closing a high-severity use-after-free hole in the browser’s Payments component. The vulnerability, catalogued as CVE-2026-11664, was disclosed on June 8, 2026, and affects all earlier versions of the Chrome 149 branch. Users are urged to apply the update within the next 24 hours to prevent potential exploitation.

The flaw landed a “High” severity rating from Google, indicating it could be leveraged by remote attackers to corrupt memory and execute arbitrary code. While Google has not confirmed active exploitation in the wild, the nature of use-after-free bugs—combined with the sensitive Payments module—makes this patch a priority for both consumers and IT administrators.

CVE-2026-11664: A Memory Corruption Time Bomb

CVE-2026-11664 is a classic use-after-free (UAF) vulnerability. In computer memory management, a UAF occurs when an application frees a chunk of memory but continues to reference that freed memory later. Attackers can deliberately force this condition, then overwrite the freed memory with malicious data. When the application subsequently uses that corrupted memory, it can lead to arbitrary code execution at the application’s privilege level. In Chrome’s case, that means escaping the browser’s sandbox—though often a second vulnerability is required for full system compromise.

The Payments component is part of Chrome’s Web Payments API, which enables websites to request payment information (credit card details, shipping addresses) through a standardized interface. This module handles sensitive data and interacts with operating system payment services. A memory error here could allow a malicious web page to hijack the payment flow, steal credentials, or achieve code execution.

Google’s advisory notes that the bug was reported by an external security researcher, though the company withheld the researcher’s name and the exact details of the flaw until a majority of users have updated—a standard practice to slow exploit development.

How Chrome 149.0.7827.103 Squashes the Bug

The patch updates Chrome to version 149.0.7827.103 on all desktop platforms. The update modifies how the Payments component handles memory allocation and deallocation, ensuring that freed memory is thoroughly invalidated before any further references. Typically, Google addresses UAF bugs by adding stronger pointers, reference counting, or entirely rewriting vulnerable sections.

Chrome’s rapid release cycle means that the fix is already rolling out via the browser’s built-in updater. For users who have automatic updates enabled, the patch will install silently in the background and take effect upon restarting Chrome. However, many users—especially in enterprise environments—may have updates deferred or managed manually, warranting immediate action.

Check Your Chrome Version and Update on Windows

To verify your Chrome version on