ChromeOS LTS-144 Update: Critical CVE-2026-11644 Patching and Remediation Guide

Google has released the Long Term Support (LTS) channel update LTS-144 for ChromeOS, addressing a critical security vulnerability and a significant cluster of high-severity memory corruption bugs. For enterprise environments—particularly those in education, healthcare, and government that rely on the LTS channel for stability—this update is non-negotiable.

The standout issue, CVE-2026-11644 (Critical), is a Use-After-Free (UAF) vulnerability in the Views component. Because the Views component governs the fundamental UI framework of the Chrome browser and ChromeOS, a successful exploit here provides a potent path for an attacker to escape the browser sandbox and execute arbitrary code at the operating system level.

Technical Analysis

Affected Product: ChromeOS (Long Term Support Channel) Fixed Version: 144.0.7559.255 (Platform Version: 16503.87.0)

Critical Vulnerability:

• CVE-2026-11644 (Critical): Use-after-free in Views. This flaw allows an attacker to dereference a pointer to memory that has already been freed. In the context of Views, this can lead to a full sandbox escape scenario when combined with a renderer exploit.

High-Severity Vulnerabilities: The update simultaneously patches a complex chain of High-severity UAF and Out-of-Bounds (OOB) write vulnerabilities that typically serve as the "read/write primitives" in an exploit chain:

• CVE-2026-8555: Use-after-free in GTK.
• CVE-2026-7906: Use-after-free in SVG.
• CVE-2026-7926: Use-after-free in PresentationAPI.
• CVE-2026-7335 & CVE-2026-7355: Use-after-free in Media.
• CVE-2026-7910 & CVE-2026-6316: Use-after-free in Views and Forms.
• CVE-2026-6314: Out of bounds write in GPU. GPU process compromises are a critical stepping stone for moving from a renderer compromise to a system-level breach.
• CVE-2026-7360 & CVE-2026-6312: Insufficient validation of untrusted input in Compositing and related components.

Attack Chain & Exploitation Status: A typical attack would involve luring a user to a malicious webpage. The attacker would first trigger a renderer UAF (e.g., via SVG or Media) to gain code execution inside the sandbox. They would then chain the Views UAF (CVE-2026-11644) or the GPU OOB write to escape the sandbox and install persistence on the ChromeOS device. While the advisory does not explicitly state these are "in the wild," the concentration of High/Critical memory bugs in a single LTS release makes it a high-priority target for exploit developers.

Detection & Response

Detecting the exploitation of memory corruption bugs like UAFs on endpoints is challenging; often, the first sign of an exploit attempt is a browser crash. However, verifying patch compliance is the most effective defensive measure.

Sigma Rules

The following rules target Linux/ChromeOS logs to identify devices running vulnerable versions or exhibiting signs of renderer process crashes that may indicate exploitation attempts.

---
title: ChromeOS Vulnerable Version Detection - LTS-144
id: 8a5c2d31-9e1f-4a7b-8c0d-1e2f3a4b5c6d
status: experimental
description: Detects ChromeOS devices reporting a version lower than the patched LTS-144 release (144.0.7559.255).
references:
 - http://chromereleases.googleblog.com/2026/06/long-term-support-channel-update-for_0398938937.html
author: Security Arsenal
date: 2026/06/03
tags:
  - detection.config
  - cve-2026-11644
logsource:
  product: linux
  service: auditd
detection:
  selection:
    message|contains: 'CHROMEOS_RELEASE_VERSION='
  filter:
    message|contains:
      - '144.0.7559.255'
      - '145.' # Future versions
  condition: selection and not filter
falsepositives:
  - None
level: critical
---
title: ChromeOS Browser Renderer Crash - Potential Exploit
id: 9b6d3e42-0f2a-5b8c-9d1e-2f3a4b5c6d7e
status: experimental
description: Detects segmentation faults in Chrome renderer or GPU processes, which may indicate exploitation attempts of UAF/OOB vulnerabilities.
author: Security Arsenal
date: 2026/06/03
tags:
  - attack.execution
  - attack.t1203
logsource:
  product: linux
  service: syslog
detection:
  selection:
    program|contains:
      - 'chrome'
      - 'chromeos'
    message|contains:
      - 'segmentation fault'
      - 'received signal 11'
      - 'renderer'
      - 'gpu-process'
  condition: selection
falsepositives:
  - Legitimate application instability
level: high

KQL (Microsoft Sentinel / Defender)

// Hunt for ChromeOS devices running vulnerable versions (< 144.0.7559.255)
// Assumes ChromeOS logs are ingested via Syslog or CEF
Syslog
| where ProcessName contains "chrome" or SyslogMessage contains "CHROMEOS_RELEASE_VERSION"
| parse SyslogMessage with * "CHROMEOS_RELEASE_VERSION=" ReleaseVersion:string "\n" *
| parse SyslogMessage with * "CHROMEOS_RELEASE_BUILD_NUMBER=" BuildNumber:string "\n" *
| where isnotempty(ReleaseVersion)
| extend VersionParts = split(ReleaseVersion, ".")
| extend Major = toint(VersionParts[0]), Minor = toint(VersionParts[1]), Patch = toint(VersionParts[2]), Build = toint(VersionParts[3])
| project-away VersionParts
| where Major < 144 or (Major == 144 and Minor < 0) or (Major == 144 and Minor == 0 and Patch < 7559) or (Major == 144 and Minor == 0 and Patch == 7559 and Build < 255)
| summarize count() by Computer, ReleaseVersion, _TimeGenerated
| order by count_ desc

Velociraptor VQL

Use this artifact on ChromeOS devices (or Linux endpoints running Chrome Enterprise) to verify the installed version against the patched baseline.

-- Check ChromeOS Release Version for LTS-144 Compliance
SELECT read_file(filename = "/etc/lsb-release")
       AS Content,
       parse_string(data=Content, regex='CHROMEOS_RELEASE_VERSION=(?P<Version>.*)')
       AS Parsed
FROM scope()
WHERE Parsed.Version NOT =~ "144.0.7559.255"
      AND Parsed.Version NOT =~ "145."

Remediation Script (Bash)

This script is intended for ChromeOS administrators (with shell access) to force an update check to the latest LTS channel. Note that standard fleet management should be handled via the Google Admin Console.

#!/bin/bash
# ChromeOS LTS-144 Update Enforcement Script
# Checks current version and triggers update engine if behind LTS-144

echo "Checking ChromeOS Version..."
if [ -f /etc/lsb-release ]; then
    . /etc/lsb-release
    echo "Current Version: $CHROMEOS_RELEASE_VERSION"
    echo "Current Build: $CHROMEOS_RELEASE_BUILD_NUMBER"

    # Check if version is less than target LTS-144 (144.0.7559.255)
    # Simple string comparison often works for Chrome versioning if format is consistent
    if [ "$CHROMEOS_RELEASE_VERSION" != "144.0.7559.255" ]; then
        echo "Version mismatch detected. Triggering update check..."
        update_engine_client -check_for_update
        update_engine_client -status
    else
        echo "System is on the target LTS-144 version."
    fi
else
    echo "Error: /etc/lsb-release not found."
fi

Remediation

1. Verify Update: Navigate to Settings > About ChromeOS. Ensure the device is running Version 144.0.7559.255 and Platform Version 16503.87.0.
2. Google Admin Console: For managed fleets, force the update via the Admin Console:
   • Go to Devices > Chrome > Settings.
   • Ensure the ChromeOS version is pinned to the LTS channel and update to the latest stable release is enabled.
3. Reboot: Apply the update and reboot the device to clear memory of any potentially active exploit processes.
4. Monitor: Review logs for unexplained renderer crashes leading up to the patch deployment.

Official Advisory: http://chromereleases.googleblog.com/2026/06/long-term-support-channel-update-for_0398938937.html

Related Resources

Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment vulnerability-management Intel Hub