EUVD-2026-17793
GHSA-rxr9-x3w7-wrh7
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
4Description
Use after free in WebCodecs in Google Chrome prior to 146.0.7680.178 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Analysis
Remote code execution in Google Chrome prior to 146.0.7680.178 allows unauthenticated remote attackers to execute arbitrary code within the Chrome sandbox via a crafted HTML page exploiting a use-after-free vulnerability in the WebCodecs component. The vulnerability affects all versions before the patched release and has been addressed by Google with a vendor-released patch; no public exploit code or active exploitation has been confirmed at the time of analysis.
Sign in for full analysis, threat intelligence, and remediation guidance.
Priority Score
Vendor Status
Debian
| Release | Status | Fixed Version | Urgency |
|---|---|---|---|
| bullseye (security), bullseye | vulnerable | 120.0.6099.224-1~deb11u1 | - |
| bookworm | vulnerable | 143.0.7499.169-1~deb12u1 | - |
| bookworm (security) | vulnerable | 146.0.7680.164-1~deb12u1 | - |
| trixie | vulnerable | 145.0.7632.159-1~deb13u1 | - |
| trixie (security) | vulnerable | 146.0.7680.164-1~deb13u1 | - |
| forky | vulnerable | 146.0.7680.153-1 | - |
| sid | fixed | 146.0.7680.177-1 | - |
| bullseye | fixed | (unfixed) | end-of-life |
| (unstable) | fixed | 146.0.7680.177-1 | - |
Share
External POC / Exploit Code
Leaving vuln.today