Skip to main content

Google Chrome CVE-2026-13037

| EUVDEUVD-2026-39049 HIGH
Use After Free (CWE-416)
2026-06-24 Chrome GHSA-7898-6x7p-pr8g
7.8
CVSS 3.1 · Vendor: Chrome
Share

Severity by source

Vendor (Chrome) PRIMARY
7.8 HIGH
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
vuln.today AI
7.8 HIGH

Victim must open crafted HTML (UI:R) and the vector is local per the description (AV:L); no privileges needed (PR:N), and renderer code execution yields high C/I/A within an unchanged scope.

3.1 AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
4.0 AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Chrome).

CVSS VectorVendor: Chrome

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
Jun 24, 2026 - 21:36 vuln.today
CVSS changed
Jun 24, 2026 - 20:22 NVD
7.8 (HIGH)
CVE Published
Jun 24, 2026 - 18:43 cve.org
UNKNOWN (no severity yet)
CVE Published
Jun 24, 2026 - 18:43 cve.org
HIGH 7.8

DescriptionCVE.org

Use after free in WebView in Google Chrome on Android prior to 149.0.7827.197 allowed a local attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

AnalysisAI

Arbitrary code execution within the renderer sandbox affects Google Chrome on Android before 149.0.7827.197 via a use-after-free defect in the WebView component, reachable when a victim renders a crafted HTML page. The flaw lets an attacker corrupt freed memory in the rendering process to gain code execution confined to the sandbox; CVSS is 7.8 (High) and Chromium rates it High severity. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Lure victim to crafted HTML page
Delivery
WebView renders malicious DOM content
Exploit
Trigger use-after-free in freed object
Execution
Reclaim memory with attacker data
Persist
Hijack control flow
Impact
Execute arbitrary code in renderer sandbox

Vulnerability AssessmentAI

Exploitation Exploitation requires the victim to open or render a crafted HTML page in the affected Chrome/Android WebView (UI:R - user interaction is mandatory), and per CVSS the vector is local (AV:L) rather than remotely network-triggered without interaction, framing this as a 'local attacker' delivering crafted content. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are moderately consistent and point to a real but not emergency-grade issue. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a malicious HTML page that triggers the WebView use-after-free and lures or directs a victim into opening it (for example in a Chrome tab or an in-app WebView), after which the freed-memory corruption is leveraged to run arbitrary code inside the renderer sandbox. Given AV:L and UI:R, success requires the user to actually render the malicious content rather than passive network exposure; no public exploit code is currently identified, so weaponization effort would fall on the attacker.
Remediation Vendor-released patch: 149.0.7827.197 - upgrade Google Chrome (and any embedded WebView/Chrome on Android) to 149.0.7827.197 or later, which is the primary and recommended fix per Google's Chrome Releases advisory (https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0482630350.html); on Android this also means ensuring the Android System WebView and Chrome apps are updated via the Play Store. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Notify all users with Android devices to update Chrome to version 149.0.7827.197 or later through the Google Play Store; verify update availability in your MDM if applicable. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-13037 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy