Skip to main content

Google Chrome CVE-2026-15116

| EUVDEUVD-2026-42487 HIGH
Use After Free (CWE-416)
2026-07-08 chrome-cve-admin@google.com GHSA-rf8j-gp6c-595q
8.8
CVSS 3.1 · Vendor: google
Share

Severity by source

Vendor (google) PRIMARY
8.8 HIGH
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
vuln.today AI
8.8 HIGH

Remote crafted page needs only a victim visit (AV:N/AC:L/PR:N/UI:R); sandbox-confined RCE keeps scope Unchanged with high C/I/A within the renderer.

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (google).

CVSS VectorVendor: google

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
Jul 09, 2026 - 11:41 vuln.today
CVSS changed
Jul 09, 2026 - 11:22 NVD
8.8 (HIGH)
CVE Published
Jul 08, 2026 - 23:16 cve.org
UNKNOWN (no severity yet)
CVE Published
Jul 08, 2026 - 23:16 cve.org
HIGH 8.8

DescriptionCVE.org

Use after free in Actor in Google Chrome prior to 150.0.7871.115 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

AnalysisAI

Remote code execution in Google Chrome desktop before 150.0.7871.115 lets a remote attacker run arbitrary code (constrained to the renderer sandbox) by luring a victim to a crafted HTML page that triggers a use-after-free in the Actor component. The flaw is network-reachable and requires only that the user visit a malicious page, but Chromium rates the severity High rather than Critical because code execution stays inside the renderer sandbox. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Lure victim to crafted HTML page
Delivery
Page triggers use-after-free in Actor
Exploit
Reclaim freed object with controlled data
Execution
Hijack control flow in renderer
Impact
Execute arbitrary code inside sandbox

Vulnerability AssessmentAI

Exploitation Exploitation requires the victim to actively open or be redirected to attacker-controlled HTML in a vulnerable Chrome build (prior to 150.0.7871.115) - the CVSS UI:R flag confirms user interaction (visiting/loading the page) is mandatory, which is the primary limiting factor. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, base 8.8) indicates a network-reachable, low-complexity, unauthenticated bug whose only real gate is user interaction - a victim must open a malicious page - and whose scope is Unchanged, consistent with execution remaining inside the sandbox. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker hosts a crafted HTML page - or injects it via a malvertising frame or compromised site - that triggers the use-after-free in Chrome's Actor component when rendered. A victim running a pre-150.0.7871.115 build simply visits the page, and the attacker gains arbitrary code execution within the renderer sandbox, from which they would typically chain a separate sandbox-escape to reach the host. …
Remediation Patch available per vendor advisory: update Google Chrome to 150.0.7871.115 or later on all desktop platforms via the Chrome Releases advisory at https://chromereleases.googleblog.com/2026/07/stable-channel-update-for-desktop_01162222768.html, then fully restart the browser so the new build is loaded (Chrome auto-updates but the relaunch is required to apply it). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Deploy communication requiring all users to update Google Chrome to version 150.0.7871.115 or later; confirm that Chrome auto-update is enabled in your environment. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-15116 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy