Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionCVE.org
Use after free in Chromoting in Google Chrome on Linux prior to 148.0.7778.96 allowed a remote attacker to execute arbitrary code via malicious network traffic. (Chromium security severity: Critical)
AnalysisAI
Remote code execution in Google Chrome's Chromoting component (remote desktop feature) on Linux allows unauthenticated attackers to execute arbitrary code through specially crafted network packets when a user interacts with a malicious remote desktop session. Fixed in Chrome 148.0.7778.96. Vendor rates severity as Critical. No public exploit code identified at time of analysis, but the use-after-free class (CWE-416) is well-understood and exploitable. CVSS 8.8 reflects network attack vector with low complexity requiring only user interaction, enabling full system compromise (high confidentiality, integrity, and availability impact).
Technical ContextAI
Chromoting is Google Chrome's built-in remote desktop protocol implementation, allowing users to remotely access computers via Chrome Remote Desktop. This vulnerability is a use-after-free (CWE-416) memory corruption flaw, occurring when the program continues to use a memory pointer after the referenced memory has been deallocated. In Chromoting's network traffic handling code, malicious packets can trigger this condition, causing the application to access freed memory. Attackers can manipulate the freed memory region to redirect program execution flow. The flaw is specific to the Linux implementation of Chrome (CPE: cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*), suggesting platform-specific code paths in the Chromoting network stack on Linux systems. Use-after-free vulnerabilities are particularly dangerous as they provide reliable primitives for achieving arbitrary code execution when successfully exploited.
RemediationAI
Update Google Chrome on Linux systems to version 148.0.7778.96 or later immediately. Chrome typically auto-updates within 24-48 hours of release; force an immediate update by navigating to chrome://settings/help and clicking 'Relaunch' when prompted. For enterprise deployments using managed Chrome installations, push the update through existing patch management systems (GPO, SCCM, or Linux package managers). Verify successful update by confirming version number at chrome://settings/help shows 148.0.7778.96 or higher. If immediate patching is not feasible, disable Chrome Remote Desktop as a temporary mitigation by removing the Chrome Remote Desktop extension and blocking chromeremotedesktop.google.com at the network perimeter-this eliminates the attack surface but prevents legitimate remote desktop functionality. Do not rely on network segmentation alone as the vulnerability can be triggered through man-in-the-middle attacks on legitimate sessions. Full advisory: https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html.
Use-after-free vulnerability in the DisplayObject class in the ActionScript 3 (AS3) implementation in Adobe Flash Player
V8 in Google Chrome prior to 54.0.2840.90 for Linux, and 54.0.2840.85 for Android, and 54.0.2840.87 for Windows and Mac
Type confusion in V8 in Google Chrome prior to 59.0.3071.86 for Linux, Windows, and Mac, and 59.0.3071.92 for Android, a
The Array.prototype.concat implementation in builtins.cc in Google V8, as used in Google Chrome before 49.0.2623.108, do
Mozilla Firefox before 18.0, Firefox ESR 10.x before 10.0.12 and 17.x before 17.0.2, Thunderbird before 17.0.2, Thunderb
Incorrect handling of complex species in V8 in Google Chrome prior to 57.0.2987.98 for Linux, Windows, and Mac and 57.0.
The Chrome Object Wrapper (COW) implementation in Mozilla Firefox before 16.0, Firefox ESR 10.x before 10.0.8, Thunderbi
An issue was discovered in the Cisco WebEx Extension before 1.0.7 on Google Chrome, the ActiveTouch General Plugin Conta
The XrayWrapper implementation in Mozilla Firefox before 35.0 and SeaMonkey before 2.32 does not properly interact with
The Chrome Object Wrapper (COW) implementation in Mozilla Firefox before 18.0, Firefox ESR 17.x before 17.0.2, Thunderbi
The Web IDL implementation in Mozilla Firefox before 28.0, Firefox ESR 24.x before 24.4, Thunderbird before 24.4, and Se
Use-after-free vulnerability in the BitmapData class in the ActionScript 3 (AS3) implementation in Adobe Flash Player 13
Same weakness CWE-416 – Use After Free
View allSame technique Denial Of Service
View allVendor StatusVendor
SUSE
Severity: HighShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-27899