Skip to main content

Google Chrome EUVDEUVD-2026-34396

| CVE-2026-10947 HIGH
Use After Free (CWE-416)
2026-06-04 chrome-cve-admin@google.com GHSA-jhv3-c9rv-g7mr
8.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative
Red Hat
9.6 HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
Jun 05, 2026 - 02:47 vuln.today
CVSS changed
Jun 05, 2026 - 02:22 NVD
8.8 (HIGH)
CVE Published
Jun 04, 2026 - 23:16 nvd
HIGH 8.8
CVE Published
Jun 04, 2026 - 23:16 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

Use after free in WebRTC in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

AnalysisAI

Remote code execution in Google Chrome versions prior to 149.0.7827.53 stems from a use-after-free flaw in the WebRTC component, enabling a remote attacker to execute arbitrary code within the renderer sandbox when a victim visits a crafted HTML page. Google rates the underlying Chromium severity as High, and the CVSS 3.1 score of 8.8 reflects network-reachable, low-complexity exploitation requiring only user interaction (visiting a page). No public exploit code has been identified at time of analysis and the vulnerability is not listed in CISA KEV.

Technical ContextAI

WebRTC (Web Real-Time Communication) is the browser subsystem that enables peer-to-peer audio, video, and data channels directly between browsers, and it is enabled by default in Chrome. The flaw is classified as CWE-416 (Use-After-Free), a memory-safety error where code continues to reference a heap object after it has been freed; an attacker who can influence the timing and contents of reallocations can place attacker-controlled data into the freed slot and hijack subsequent dereferences, typically leading to type confusion and arbitrary code execution. Because WebRTC parses untrusted media/signaling state from a remote page, the attack surface is exposed to any origin the user visits. Per CPE/version data in the EUVD entry, only Chrome desktop builds before 149.0.7827.53 are affected; the issue is tracked upstream as Chromium issue 504597736.

RemediationAI

Vendor-released patch: Google Chrome 149.0.7827.53 - upgrade Chrome on all desktop endpoints to 149.0.7827.53 or later via the Stable channel as described in the Chrome Releases advisory (https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html); fleet-managed deployments should force a relaunch to ensure the update is applied. For Chromium-derivative browsers, install the vendor build that pulls in the WebRTC fix once published. As an interim compensating control if patching is delayed, administrators can disable WebRTC via enterprise policy (e.g., the WebRtcAllowLegacyTLSProtocols/URLBlocklist combination, or extensions that block WebRTC), accepting that this breaks video conferencing, Google Meet, Teams web client, and most peer-to-peer media applications; restricting browsing to trusted sites and enforcing Site Isolation reduces but does not eliminate exposure since UI:R only requires a user to visit an attacker-controlled page.

Vendor StatusVendor

SUSE

Severity: High
Product Status
openSUSE Tumbleweed Fixed

Share

EUVD-2026-34396 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy