Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Remote crafted page (AV:N) needs only a victim visit (UI:R) with no auth (PR:N); a UAF enabling code execution yields high C/I/A within the unchanged browser scope.
Primary rating from Vendor (Chrome).
CVSS VectorVendor: Chrome
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionCVE.org
Use after free in Digital Credentials in Google Chrome on Mac prior to 149.0.7827.197 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
AnalysisAI
Heap corruption via use-after-free in Google Chrome's Digital Credentials component on macOS allows a remote attacker to potentially execute code by luring a victim to a crafted HTML page, affecting Chrome builds prior to 149.0.7827.197. The flaw was reported internally by Google's Chrome team, and per CISA's SSVC framework exploitation is currently 'none', so this is no public exploit identified at time of analysis despite a high (8.8) CVSS score requiring user interaction. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the victim to open a crafted HTML page in Google Chrome on macOS at a version below 149.0.7827.197 (UI:R - user interaction is the key limiting factor; no authentication is needed, PR:N). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals conflict on urgency. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker hosts a crafted HTML page exercising the Digital Credentials API and lures a Chrome-on-Mac user to it via phishing link, malicious ad, or compromised site. Loading the page triggers the use-after-free, corrupting the heap; with a reliable allocation grooming primitive the attacker leverages this toward arbitrary code execution in the browser. … |
| Remediation | Vendor-released patch: Google Chrome 149.0.7827.197 - update Chrome to 149.0.7827.197 or later on macOS via Chrome's built-in updater (chrome://settings/help) and relaunch to apply, per the Stable channel advisory at https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0482630350.html. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Inventory all macOS systems running Chrome versions prior to 149.0.7827.197 and segregate highest-risk users if necessary. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-416 – Use After Free
View allSame technique Memory Corruption
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39041
GHSA-mmm9-39xr-fcc3