Skip to main content

Google Chrome CVE-2026-15118

| EUVDEUVD-2026-42489 HIGH
Use After Free (CWE-416)
2026-07-08 chrome-cve-admin@google.com GHSA-jhrp-v2xg-mr29
8.8
CVSS 3.1 · Vendor: google
Share

Severity by source

Vendor (google) PRIMARY
8.8 HIGH
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
vuln.today AI
8.8 HIGH

Remote crafted page requires a user to visit (UI:R) but no auth (PR:N); renderer UAF yields high CIA within an unchanged scope (S:U) as code stays in the sandbox.

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (google).

CVSS VectorVendor: google

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
Jul 09, 2026 - 11:43 vuln.today
CVSS changed
Jul 09, 2026 - 11:22 NVD
8.8 (HIGH)
CVE Published
Jul 08, 2026 - 23:16 cve.org
UNKNOWN (no severity yet)
CVE Published
Jul 08, 2026 - 23:16 cve.org
HIGH 8.8

DescriptionCVE.org

Use after free in Input in Google Chrome prior to 150.0.7871.115 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

AnalysisAI

Remote code execution in Google Chrome desktop before 150.0.7871.115 stems from a use-after-free in the browser's Input component, letting a remote attacker who lures a victim to a crafted HTML page run arbitrary code inside the renderer sandbox. Google rates the Chromium severity High and CVSS is 8.8, requiring user interaction (visiting a malicious page) but no authentication. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Host crafted HTML page
Delivery
Lure victim via phishing/malvertising
Exploit
Victim opens page in vulnerable Chrome
Execution
Trigger use-after-free in Input
Persist
Corrupt heap and hijack control flow
Impact
Execute arbitrary code in renderer sandbox

Vulnerability AssessmentAI

Exploitation Exploitation requires the victim to open a crafted HTML page in a vulnerable Google Chrome build prior to 150.0.7871.115 (UI:R user interaction), so it cannot be triggered fully unattended - a user must navigate to attacker-controlled content. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H = 8.8) indicates network reachability, low complexity, no privileges, but required user interaction and unchanged scope with full CIA impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker hosts a malicious web page containing JavaScript that manipulates input event objects to trigger the use-after-free in Chrome's Input component, then delivers the link via phishing email or a compromised/malvertising ad served on a legitimate site. When a victim running a pre-150.0.7871.115 Chrome opens the page (the required user interaction), the dangling pointer is exploited to execute attacker-controlled code within the renderer sandbox. …
Remediation Vendor-released patch: update Google Chrome to 150.0.7871.115 or later on Windows, macOS, and Linux via the built-in updater (Settings > About Google Chrome) and relaunch the browser to apply, per the Chrome Releases advisory (https://chromereleases.googleblog.com/2026/07/stable-channel-update-for-desktop_01162222768.html). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Notify all users to update Chrome immediately. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-15118 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy