Severity by source
AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionCVE.org
Use after free in Cast in Google Chrome prior to 149.0.7827.53 allowed an attacker on the local network segment to execute arbitrary code via malicious network traffic. (Chromium security severity: High)
AnalysisAI
Remote code execution in Google Chrome versions prior to 149.0.7827.53 allows an attacker on the same local network segment (adjacent network) to execute arbitrary code by sending malicious traffic to the browser's Cast component. The flaw stems from a use-after-free memory corruption issue in the Cast feature (used for media streaming to devices like Chromecast) and is rated High severity by Chromium with a CVSS score of 8.8. No public exploit identified at time of analysis, though a vendor patch has been released.
Technical ContextAI
The vulnerability resides in Chrome's Cast subsystem, the component responsible for discovering and streaming media to Chromecast and other casting receivers over the local network (typically via mDNS/DIAL and DTLS/SRTP transports). CWE-416 (Use After Free) indicates that the Cast code retains and dereferences a pointer to memory that has already been released, which under attacker influence can be reallocated with controlled data and used to corrupt program state. Because Cast device discovery and session negotiation happen automatically on the local network segment, the vulnerable code path is reachable from any host sharing that LAN/Wi-Fi broadcast domain without any user action in the browser.
RemediationAI
Vendor-released patch: upgrade Google Chrome to 149.0.7827.53 or later on the Stable channel as announced at https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html; in most enterprise deployments this happens automatically but admins should verify via chrome://settings/help and force a relaunch on managed endpoints. For users who cannot patch immediately, the practical workaround is to disable the Cast/Media Router feature via the MediaRouterEnabled=false enterprise policy (trade-off: users lose the ability to cast tabs and media to Chromecast/Google TV devices) or to ensure clients only operate on trusted network segments where adjacent attackers cannot reach the browser, since the bug requires reachability on the local broadcast domain. Blocking outbound/inbound mDNS (UDP 5353) and DIAL discovery traffic at the network edge does not help because the attack originates from inside the same segment, but VLAN/wireless client isolation does meaningfully reduce exposure.
Use-after-free vulnerability in the DisplayObject class in the ActionScript 3 (AS3) implementation in Adobe Flash Player
V8 in Google Chrome prior to 54.0.2840.90 for Linux, and 54.0.2840.85 for Android, and 54.0.2840.87 for Windows and Mac
Type confusion in V8 in Google Chrome prior to 59.0.3071.86 for Linux, Windows, and Mac, and 59.0.3071.92 for Android, a
The Array.prototype.concat implementation in builtins.cc in Google V8, as used in Google Chrome before 49.0.2623.108, do
Mozilla Firefox before 18.0, Firefox ESR 10.x before 10.0.12 and 17.x before 17.0.2, Thunderbird before 17.0.2, Thunderb
Incorrect handling of complex species in V8 in Google Chrome prior to 57.0.2987.98 for Linux, Windows, and Mac and 57.0.
The Chrome Object Wrapper (COW) implementation in Mozilla Firefox before 16.0, Firefox ESR 10.x before 10.0.8, Thunderbi
An issue was discovered in the Cisco WebEx Extension before 1.0.7 on Google Chrome, the ActiveTouch General Plugin Conta
The XrayWrapper implementation in Mozilla Firefox before 35.0 and SeaMonkey before 2.32 does not properly interact with
The Chrome Object Wrapper (COW) implementation in Mozilla Firefox before 18.0, Firefox ESR 17.x before 17.0.2, Thunderbi
The Web IDL implementation in Mozilla Firefox before 28.0, Firefox ESR 24.x before 24.4, Thunderbird before 24.4, and Se
Use-after-free vulnerability in the BitmapData class in the ActionScript 3 (AS3) implementation in Adobe Flash Player 13
Same weakness CWE-416 – Use After Free
View allSame technique Memory Corruption
View allVendor StatusVendor
SUSE
Severity: High| Product | Status |
|---|---|
| openSUSE Tumbleweed | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-34375
GHSA-rwjq-m543-2gh5