Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Remote crafted HTML (AV:N, AC:L, PR:N) requires the victim to visit the page (UI:R); renderer RCE yields full C/I/A:H but stays within the renderer sandbox so S:U.
Primary rating from Vendor (Chrome).
CVSS VectorVendor: Chrome
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
5DescriptionCVE.org
Use after free in Core in Google Chrome on Windows prior to 149.0.7827.115 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: Critical)
AnalysisAI
Remote code execution in Google Chrome on Windows prior to 149.0.7827.115 allows remote attackers to trigger a use-after-free condition in the Core component via a crafted HTML page, leading to arbitrary code execution within the renderer process. Chromium rates the severity as Critical, and no public exploit has been identified at time of analysis, but the bug class (UAF in Core) is historically a frequent target for in-the-wild exploitation against Chrome. The vulnerability requires the victim to visit attacker-controlled content (UI:R).
Technical ContextAI
The flaw is a CWE-416 use-after-free in Chrome's Core component, the browser-internal layer that coordinates lifecycle and shared object management across renderer, network, and UI subsystems. Use-after-free bugs occur when memory is freed while a dangling pointer is still reachable; subsequent dereferencing of that pointer permits an attacker who controls the reallocated heap region to influence virtual function tables or other indirect calls, ultimately yielding control of execution flow. The affected CPE is cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:* with the Windows build line being explicitly named; Chromium-derived browsers (Edge, Brave, Opera, Vivaldi) that share the same Core code are likely impacted until they pick up the upstream fix.
RemediationAI
Apply the vendor-released patch by upgrading to Google Chrome Stable 149.0.7827.115 or later on Windows; on managed fleets, force a relaunch so the patched binary is actually loaded rather than just downloaded, since Chrome only swaps versions on restart (see https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_01962725236.html and https://issues.chromium.org/issues/516731749). For Chromium-derived browsers (Edge, Brave, Opera, Vivaldi), install the corresponding vendor build that incorporates the upstream fix. Where immediate patching is not possible, compensating controls include enabling Site Isolation (default on desktop) and the renderer sandbox, restricting browsing to trusted sites via enterprise policy URLBlocklist, and deploying Microsoft Defender Exploit Guard / EMET-style mitigations (CFG, ACG) - note these reduce but do not eliminate UAF exploit reliability and may break legacy intranet apps that rely on cross-origin behaviour.
Same weakness CWE-416 – Use After Free
View allSame technique Use After Free
View allVendor StatusVendor
SUSE
Severity: Critical| Product | Status |
|---|---|
| SUSE Package Hub 15 SP7 | Fixed |
| openSUSE Tumbleweed | Fixed |
| SUSE Package Hub 15 SP7 | Affected |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36328
GHSA-wvh3-7fqf-9pv5