Skip to main content

Google Chrome CVE-2026-10954

| EUVDEUVD-2026-34403 HIGH
Use After Free (CWE-416)
2026-06-04 chrome-cve-admin@google.com GHSA-6jj2-wcwf-xw53
8.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative
Red Hat
9.6 HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
Jun 05, 2026 - 02:50 vuln.today
CVSS changed
Jun 05, 2026 - 02:22 NVD
8.8 (HIGH)
CVE Published
Jun 04, 2026 - 23:16 nvd
HIGH 8.8
CVE Published
Jun 04, 2026 - 23:16 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

Use after free in Actor in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

AnalysisAI

Remote code execution in Google Chrome versions prior to 149.0.7827.53 stems from a use-after-free flaw in the Actor component that lets a remote attacker run arbitrary code within the renderer sandbox via a malicious HTML page. The flaw carries CVSS 8.8 and requires user interaction (visiting a crafted page), and at time of analysis there is no public exploit identified, though Chromium rates the security severity as High and a vendor patch has shipped.

Technical ContextAI

The vulnerability is a CWE-416 Use-After-Free in Chromium's Actor subsystem, a class of memory-safety bug where code continues to reference heap memory after it has been freed, enabling an attacker to control the contents at that address and ultimately hijack execution. Actor is part of Chromium's internal componentry reachable from web content via standard HTML/JS processing, so a crafted page loaded in the Blink renderer can trigger the dangling reference. Because the CVSS scope is Unchanged (S:U) and the description explicitly states execution occurs 'inside a sandbox,' initial code execution is constrained to the renderer process and would require a separate sandbox escape to reach the host OS - a typical Chromium exploitation pattern.

RemediationAI

Vendor-released patch: Google Chrome 149.0.7827.53 or later on the Stable channel - update via Chrome's built-in updater or by redeploying enterprise MSI/PKG packages, and consult the advisory at https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html and the Chromium issue tracker at https://issues.chromium.org/issues/506150628 for technical context. Organizations running Chromium derivatives (Edge, Brave, Opera, Electron-based apps) should track and apply the corresponding downstream releases as they pick up the upstream fix. As a compensating control until patching completes, enterprises can enforce Site Isolation (already default), block users from browsing arbitrary external HTML via web filtering/proxy policy, or disable Chrome's site-loading of the affected feature where a kill-switch enterprise policy exists; the trade-off is reduced functionality on legitimate sites and incomplete protection, since the trigger is generic HTML and not a niche feature.

Vendor StatusVendor

SUSE

Severity: High
Product Status
openSUSE Tumbleweed Fixed

Share

CVE-2026-10954 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy