Severity by source
Sources disagree (Low–High)AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
vuln.today treats the vendor’s rating as authoritative. A higher third-party CVSS (e.g. CISA-ADP) is shown for transparency but does not drive the headline severity.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionNVD
Use after free in Extensions in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Low)
AnalysisAI
Remote code execution in Google Chrome prior to 149.0.7827.53 stems from a use-after-free flaw in the Extensions component, allowing a remote attacker who tricks a user into visiting a crafted HTML page to execute arbitrary code inside the browser's renderer sandbox. The issue is rated High by NVD (CVSS 8.8) despite Chromium's own Low severity tag, and no public exploit identified at time of analysis. A vendor patch is available via the June 2026 Stable Channel update.
Technical ContextAI
The vulnerability is a CWE-416 Use-After-Free defect in Chrome's Extensions subsystem, the component responsible for managing installed browser extensions and their interactions with web content and browser APIs. Use-after-free conditions occur when memory is freed but a dangling pointer is later dereferenced; an attacker who can groom the heap and time the access can coerce the freed slot into holding attacker-controlled data, typically yielding type confusion or control-flow hijack. Because Extensions runs inside Chrome's renderer/extension process context, exploitation as described lands the attacker inside the Chromium sandbox rather than at the host OS level, meaning a separate sandbox escape would be required for full compromise.
RemediationAI
Vendor-released patch: Google Chrome 149.0.7827.53 - update via the Stable Channel update announced at https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html, typically delivered by Chrome's built-in auto-updater on next browser restart. Enterprise administrators should validate rollout via group policy or MDM and force-restart browsers where the update has staged but not applied. As a compensating control until patching completes, disable or restrict installation of non-essential browser extensions through the ExtensionInstallBlocklist / ExtensionInstallAllowlist policies, which reduces the attack surface of the Extensions subsystem at the cost of breaking user-installed productivity extensions; site-isolation and strict per-origin renderer enforcement should remain enabled as they help contain renderer-level compromises. Downstream Chromium browser users should consult their vendor's advisory and apply the corresponding upstream merge once published.
Same weakness CWE-416 – Use After Free
View allSame technique Memory Corruption
View allVendor StatusVendor
SUSE
Severity: Important| Product | Status |
|---|---|
| SUSE Package Hub 15 SP7 | Fixed |
| openSUSE Leap 16.0 | Fixed |
| openSUSE Tumbleweed | Fixed |
| SUSE Package Hub 15 SP7 | Affected |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-34691
GHSA-78m8-95p2-9vf9