Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack relies on a proximate malicious Bluetooth peripheral, so AV:A rather than AV:N; UI:R because the user must grant Bluetooth access; no privileges needed and full RCE impact.
Primary rating from Vendor (Chrome).
CVSS VectorVendor: Chrome
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionCVE.org
Use after free in Bluetooth in Google Chrome on Mac prior to 149.0.7827.197 allowed a remote attacker to execute arbitrary code via a malicious peripheral. (Chromium security severity: High)
AnalysisAI
Remote code execution in Google Chrome for macOS prior to 149.0.7827.197 stems from a use-after-free in the browser's Bluetooth subsystem, letting a malicious Bluetooth peripheral corrupt memory and execute arbitrary code in the browser process. The flaw is rated High severity by Chromium with a CVSS 8.8, requires user interaction (UI:R) but no privileges, and currently has no public exploit identified at time of analysis; CISA SSVC marks exploitation status as none.
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the victim to run a vulnerable Chrome build (< 149.0.7827.197) on macOS and to interact with a malicious Bluetooth peripheral - the CVSS UI:R flag confirms user interaction is mandatory, which in the Web Bluetooth flow means the user must accept a site's Bluetooth device-access prompt and connect to the attacker-controlled device. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Multiple signals point to a genuinely high-priority but not yet actively exploited issue. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker lures a victim to a malicious web page or has them connect to a rogue Bluetooth peripheral; when the user grants Bluetooth access (the required user interaction), the attacker-controlled peripheral returns crafted responses that trigger the use-after-free in Chrome's Bluetooth code, corrupting heap memory to execute arbitrary code in the browser process. Because attack complexity is low and no privileges are required, a reliable exploit could lead to full browser compromise, though no public POC has been identified at time of analysis. |
| Remediation | Vendor-released patch: update Google Chrome on macOS to 149.0.7827.197 or later, which is the fixed Stable channel release per Google's advisory at https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0482630350.html; trigger Chrome's built-in updater (chrome://settings/help) and relaunch to apply, and roll the update through enterprise management (e.g., Google Admin/MDM) for fleet machines. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Communicate vulnerability to macOS user base and request immediate Chrome update to version 149.0.7827.197 or later; add notice about avoiding unknown Bluetooth connections. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-416 – Use After Free
View allSame technique Memory Corruption
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39047
GHSA-r2jr-m2rh-f5hg