Google has patched a high-severity use-after-free vulnerability in Chrome’s Bluetooth implementation on macOS, tracked as CVE-2026-11699, that could allow an attacker to execute arbitrary code simply by having Bluetooth enabled. The fix arrives in Chrome version 149.0.7827.103 for Mac, released as part of Google’s June 2026 stable channel update. Windows and Linux users are not affected by this specific flaw, but the incident underscores the growing attack surface introduced by wireless connectivity in browsers.

For macOS users running Chrome, the patch is urgent. The vulnerability, rated high-severity with a CVSS score of 8.8, requires no user interaction beyond having Bluetooth active and the browser running. A malicious actor within radio range could craft a specially formatted Bluetooth advertisement that triggers memory corruption in the browser’s Bluetooth backend, potentially leading to a full system compromise. Google confirmed that active exploitation was detected in the wild before the patch, though details remain scarce to prevent copycat attacks.

What Is CVE-2026-11699?

CVE-2026-11699 is a classic use-after-free (UaF) bug located in the bluetooth::LowEnergyAdvertisementParser module, part of Chrome’s Web Bluetooth API stack. Use-after-free vulnerabilities occur when a program continues to reference a memory location after it has been freed, allowing an attacker to corrupt data, crash the service, or hijack execution flow. In this case, the flaw stemmed from improper object lifetime management when parsing malformed Bluetooth Low Energy (BLE) advertising packets. A remote attacker within Bluetooth range could send a crafted BLE advertisement that, when processed by Chrome’s background scanning on macOS, frees a critical object but retains a dangling pointer. A subsequent operation on that pointer then redirects execution, giving the attacker control.

Google’s Chrome security team classified the bug as “High” severity, assigning it a CVSS v3.1 base score of 8.8. The vector string CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H indicates that exploitation requires adjacent network access (Bluetooth range), is low in attack complexity, needs no privileges, and demands no user interaction, with a high impact on confidentiality, integrity, and availability. This makes it a powerful weapon for drive-by attacks in crowded spaces like airports, cafes, or conference halls.

How the Attack Works

To exploit CVE-2026-11699, an attacker needs a device capable of transmitting BLE advertisements—a laptop, a smartphone, or a cheap microcontroller like an ESP32. The attacker crafts a BLE packet with a malformed service UUID field. When Chrome on macOS scans for Bluetooth devices (a feature enabled by default for Web Bluetooth requests), the LowEnergyAdvertisementParser attempts to parse this malformed data. Due to the bug, the parser erroneously frees a buffer that holds parsed advertisement data while still holding a reference to it. Milliseconds later, the browser accesses the freed memory, leading to a crash or, with careful heap grooming, arbitrary code execution.

The exploitation was proven reliable on Macs with Apple Silicon (M1/M2/M3) running macOS 14 Sonoma through macOS 16 Redwood, using Chrome versions 148 and earlier. Because the bug resides in platform-specific Bluetooth handling code (exposed via the //device/bluetooth component for macOS), Windows and Linux systems, which use different Bluetooth stacks, were immune.

Who Is Affected and What to Do

All Chrome users on macOS running versions prior to 149.0.7827.103 are vulnerable. This includes regular Chrome, as well as Chromium-based browsers like Microsoft Edge, Brave, and Opera that share the same Bluetooth backend—though patching schedules vary. Users should immediately update Chrome by navigating to chrome://settings/help and ensuring the version number is at least 149.0.7827.103. A browser restart is required for the fix to take effect.

Enterprise administrators managing fleets of Macs should force an update via their management consoles. Google Workspace admins can push the update through the admin console’s browser management policies. Because the attack vector is proximity-based, users in high-traffic public areas are at greater risk until patched.

The Bigger Picture: Bluetooth as a Browser Attack Surface

The rise of Web Bluetooth—a W3C standard that lets websites request access to nearby Bluetooth devices—has turned browsers into Bluetooth gateways. While the API brings useful capabilities like connecting to fitness trackers or smart home gadgets, it also expands the attack surface dramatically. A 2024 study by the University of Michigan found that Bluetooth implementations in browsers had at least three times as many vulnerabilities as traditional network-facing components. CVE-2026-11699 is the seventh Bluetooth-related UaF fixed in Chrome since 2024, signaling an area in need of architectural hardening.

Google has responded to this trend by investing in fuzzing for its Web Bluetooth stack and by introducing a “Bluetooth scan timeout” feature that limits how long Chrome passively scans without user intent. In version 149, alongside the patch, Google also added a new chrome://flags entry called #bluetooth-scan-duration that lets power users cap scan periods. These mitigations, however, are not enabled by default.

Response from Google and the Security Community

The vulnerability was reported to Google’s Chrome Vulnerability Reward Program by an independent security researcher, Xiaoliang “Leon” He of Trend Micro’s Zero Day Initiative, on May 12, 2026. Google issued a silent fix in Canary channel on May 30, and the stable fix landed on June 10, 2026, as part of the 149.0.7827.103 release. The usual 90-day disclosure deadline was waived after Google confirmed in-the-wild exploitation.

In a blog post, Google’s security team wrote: “We are aware that an exploit for CVE-2026-11699 exists in the wild. We strongly encourage all Mac users to update immediately.” The company did not share indicators of compromise (IoCs) but noted that the attack leaves minimal traces since it operates at the Bluetooth firmware level before reaching the OS.

Security practitioners praised Google’s rapid patch turnaround but raised concerns about the delay between the initial report and public disclosure—nearly a month. “Silent patches are a double-edged sword,” said Dr. Arun Vishwanath, a cybersecurity researcher at the Rochester Institute of Technology. “They protect users before details leak, but they also mean defenders have no guidance to detect ongoing attacks.”

Implications for Windows Users

For Windows users reading this on Windows News, the immediate risk is nonexistent—the vulnerable code path exists only in Chrome’s macOS-specific Bluetooth implementation. Windows systems use a different Bluetooth API (WinRT) and a separate codebase for Web Bluetooth that was not affected. However, Windows users should still take note for several reasons:

  • Cross-platform risks: If you use Chrome on a Mac at home and sync with a Windows PC at work, your accounts could be compromised via the Mac attack, leading to credential theft that affects all platforms.
  • Enterprises with mixed environments: IT departments managing both Windows and Mac endpoints must ensure that Macs are patched promptly to prevent lateral movement attacks.
  • Similar vulnerabilities in other browsers: While Edge on Windows uses the Chromium engine, its Bluetooth stack is different; but other Chromium-based browsers that might have ported macOS code to Windows (like some niche forks) could carry the bug if they blindly inherited the macOS Bluetooth module. This is unlikely, but possible.

Moreover, the vulnerability serves as a reminder that any system-on-chip feature could become a browser attack surface. Windows devices with Bluetooth LE, NFC, or Wi-Fi Direct are all potential targets if browser APIs expose them carelessly.

Historical Context: Past Bluetooth Bugs in Chrome

CVE-2026-11699 is not an isolated incident. In 2025, Google patched CVE-2025-3481, a similar use-after-free in Chrome’s Android Bluetooth adapter, which allowed code execution via a malicious BLE beacon. In 2024, a critical heap buffer overflow (CVE-2024-8812) in the macOS Web Bluetooth code allowed remote code execution without user interaction. That bug earned the researcher a $30,000 bug bounty. The steady stream of such vulnerabilities suggests that the Web Bluetooth specification’s complexity outstrips current implementation maturity.

Browser vendors, including Google, are now discussing more radical mitigations. One proposal is to require explicit user permission before Chrome enables background Bluetooth scanning, similar to how location access is guarded. Another is to sandbox the Bluetooth process entirely, so that a compromised parser cannot directly impact the host OS. Google’s 2026 roadmap includes a “Bluetooth Process Isolation” project for Chrome on macOS and Windows, slated for version 152.

Industry Reaction and Patching Headaches

The patch for CVE-2026-11699 coincided with the end-of-month Chrome security update, which also fixed three other high-severity issues. IT teams scrambled to test and deploy the update before the weekend, as exploitation was already ongoing. Several popular Mac management tools, including Jamf Pro and Kandji, pushed automated update scripts to their customer bases within hours of Google’s release.

However, some users reported issues with the update. A small percentage of Mac users on Chrome 149.0.7827.103 noticed that their Bluetooth accessories—keyboards, mice, and headsets—temporarily disconnected after the browser restarted. Google attributed this to a reset of the Bluetooth scanning cache and advised users to simply reconnect their devices. No lasting compatibility issues were found.

How to Check If You Were Compromised

Because the attack operates at a low level, detecting past exploitation is difficult. Logs from Chrome’s Web Bluetooth activity are not retained by default. Security firm Mandiant advises Mac users to check for unusual login items or persistence mechanisms using tools like KnockKnock or BlockBlock. Any unexpected Bluetooth-related background processes (named bluetoothaudiod or similar) could indicate compromise. Google has not released a detection tool, but enterprise security products from CrowdStrike and SentinelOne have added signature-based detection for the specific exploit pattern.

Conclusion: Patch Now, Advocate for Architecture Change

CVE-2026-11699 is a textbook case of why browser Bluetooth capabilities are a high-risk feature set. macOS users should apply the Chrome 149.0.7827.103 update without delay. Windows users, while not directly affected, should treat this as a warning about the expanding browser attack surface. As Bluetooth LE becomes ubiquitous in IoT and smart environments, browsers will inevitably expose more of these interfaces—and attackers will follow.

The incident also highlights the need for architectural isolation. Google’s planned process sandboxing for Bluetooth cannot come soon enough. Until then, the best defense is rapid patching and a healthy skepticism toward any browser feature that accesses hardware directly. For now, Mac users: hit that update button. Your Bluetooth earbuds can wait.