Skip to main content

Google Chrome CVE-2026-12007

| EUVDEUVD-2026-36328 HIGH
Use After Free (CWE-416)
2026-06-11 Chrome GHSA-wvh3-7fqf-9pv5
8.8
CVSS 3.1 · Vendor: Chrome
Share

Severity by source

Vendor (Chrome) PRIMARY
8.8 HIGH
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
vuln.today AI
8.8 HIGH

Remote crafted HTML (AV:N, AC:L, PR:N) requires the victim to visit the page (UI:R); renderer RCE yields full C/I/A:H but stays within the renderer sandbox so S:U.

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
SUSE
CRITICAL
qualitative
Red Hat
8.8 HIGH
qualitative

Primary rating from Vendor (Chrome).

CVSS VectorVendor: Chrome

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 12, 2026 - 02:22 vuln.today
CVSS changed
Jun 12, 2026 - 02:22 NVD
8.8 (HIGH)
CVSS changed
Jun 12, 2026 - 02:22 NVD
8.8 (HIGH)
CVE Published
Jun 11, 2026 - 20:48 cve.org
UNKNOWN (no severity yet)
CVE Published
Jun 11, 2026 - 20:48 cve.org
HIGH 8.8

DescriptionCVE.org

Use after free in Core in Google Chrome on Windows prior to 149.0.7827.115 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: Critical)

AnalysisAI

Remote code execution in Google Chrome on Windows prior to 149.0.7827.115 allows remote attackers to trigger a use-after-free condition in the Core component via a crafted HTML page, leading to arbitrary code execution within the renderer process. Chromium rates the severity as Critical, and no public exploit has been identified at time of analysis, but the bug class (UAF in Core) is historically a frequent target for in-the-wild exploitation against Chrome. The vulnerability requires the victim to visit attacker-controlled content (UI:R).

Technical ContextAI

The flaw is a CWE-416 use-after-free in Chrome's Core component, the browser-internal layer that coordinates lifecycle and shared object management across renderer, network, and UI subsystems. Use-after-free bugs occur when memory is freed while a dangling pointer is still reachable; subsequent dereferencing of that pointer permits an attacker who controls the reallocated heap region to influence virtual function tables or other indirect calls, ultimately yielding control of execution flow. The affected CPE is cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:* with the Windows build line being explicitly named; Chromium-derived browsers (Edge, Brave, Opera, Vivaldi) that share the same Core code are likely impacted until they pick up the upstream fix.

RemediationAI

Apply the vendor-released patch by upgrading to Google Chrome Stable 149.0.7827.115 or later on Windows; on managed fleets, force a relaunch so the patched binary is actually loaded rather than just downloaded, since Chrome only swaps versions on restart (see https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_01962725236.html and https://issues.chromium.org/issues/516731749). For Chromium-derived browsers (Edge, Brave, Opera, Vivaldi), install the corresponding vendor build that incorporates the upstream fix. Where immediate patching is not possible, compensating controls include enabling Site Isolation (default on desktop) and the renderer sandbox, restricting browsing to trusted sites via enterprise policy URLBlocklist, and deploying Microsoft Defender Exploit Guard / EMET-style mitigations (CFG, ACG) - note these reduce but do not eliminate UAF exploit reliability and may break legacy intranet apps that rely on cross-origin behaviour.

Vendor StatusVendor

SUSE

Severity: Critical
Product Status
SUSE Package Hub 15 SP7 Fixed
openSUSE Tumbleweed Fixed
SUSE Package Hub 15 SP7 Affected

Share

CVE-2026-12007 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy