Skip to main content

Google Chrome CVE-2026-15112

| EUVDEUVD-2026-42476 HIGH
Use After Free (CWE-416)
2026-07-08 chrome-cve-admin@google.com GHSA-8cjf-6ccp-mxf7
8.8
CVSS 3.1 · Vendor: google
Share

Severity by source

Vendor (google) PRIMARY
8.8 HIGH
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
vuln.today AI
8.8 HIGH

Network-delivered crafted page needs no privileges (PR:N) but requires the victim to open it (UI:R); memory corruption yields High C/I/A within a renderer-confined, unchanged scope (S:U).

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (google).

CVSS VectorVendor: google

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
Jul 09, 2026 - 11:36 vuln.today
CVSS changed
Jul 09, 2026 - 11:22 NVD
8.8 (HIGH)
CVE Published
Jul 08, 2026 - 23:16 cve.org
UNKNOWN (no severity yet)
CVE Published
Jul 08, 2026 - 23:16 cve.org
HIGH 8.8

DescriptionCVE.org

Use after free in Ozone in Google Chrome prior to 150.0.7871.115 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Critical)

AnalysisAI

Remote heap corruption in Google Chrome desktop before 150.0.7871.115 stems from a use-after-free (CWE-416) in Ozone, the platform abstraction layer that mediates windowing, graphics, and input. A remote attacker who lures a victim into loading a crafted HTML page can trigger the freed-memory reuse and potentially achieve renderer-level code execution; Chromium rates the underlying flaw Critical. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Lure victim to crafted HTML page
Delivery
Page drives Ozone allocation and free
Exploit
Trigger use-after-free (CWE-416)
Execution
Reclaim freed heap slot
Persist
Corrupt heap and hijack control flow
Impact
Execute code in renderer process

Vulnerability AssessmentAI

Exploitation Exploitation requires the victim to open or render an attacker-controlled crafted HTML page in a vulnerable Chrome desktop build (before 150.0.7871.115) - the CVSS UI:R metric confirms user interaction is mandatory and is the primary limiting factor. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The provided CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, base 8.8) shows a network-reachable, low-complexity, unauthenticated flaw whose only gating factor is user interaction - the victim must open a malicious page, which is trivial to induce for a browser. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker hosts or injects (for example via a malicious ad) a crafted HTML page and lures a Chrome user to it through a link or compromised site. Rendering the page drives Ozone to free and then reuse an object, giving the attacker heap corruption and a potential path to code execution in the renderer. …
Remediation Vendor-released patch: 150.0.7871.115 - update Google Chrome desktop to 150.0.7871.115 or later via the Chrome Releases stable channel update (https://chromereleases.googleblog.com/2026/07/stable-channel-update-for-desktop_01162222768.html) and relaunch the browser, since Chrome only applies staged updates on restart. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory Chrome deployments across all systems and identify all instances running versions before 150.0.7871.115. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-15112 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy