Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionCVE.org
Use after free in Actor in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
AnalysisAI
Remote code execution in Google Chrome versions prior to 149.0.7827.53 stems from a use-after-free flaw in the Actor component that lets a remote attacker run arbitrary code within the renderer sandbox via a malicious HTML page. The flaw carries CVSS 8.8 and requires user interaction (visiting a crafted page), and at time of analysis there is no public exploit identified, though Chromium rates the security severity as High and a vendor patch has shipped.
Technical ContextAI
The vulnerability is a CWE-416 Use-After-Free in Chromium's Actor subsystem, a class of memory-safety bug where code continues to reference heap memory after it has been freed, enabling an attacker to control the contents at that address and ultimately hijack execution. Actor is part of Chromium's internal componentry reachable from web content via standard HTML/JS processing, so a crafted page loaded in the Blink renderer can trigger the dangling reference. Because the CVSS scope is Unchanged (S:U) and the description explicitly states execution occurs 'inside a sandbox,' initial code execution is constrained to the renderer process and would require a separate sandbox escape to reach the host OS - a typical Chromium exploitation pattern.
RemediationAI
Vendor-released patch: Google Chrome 149.0.7827.53 or later on the Stable channel - update via Chrome's built-in updater or by redeploying enterprise MSI/PKG packages, and consult the advisory at https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html and the Chromium issue tracker at https://issues.chromium.org/issues/506150628 for technical context. Organizations running Chromium derivatives (Edge, Brave, Opera, Electron-based apps) should track and apply the corresponding downstream releases as they pick up the upstream fix. As a compensating control until patching completes, enterprises can enforce Site Isolation (already default), block users from browsing arbitrary external HTML via web filtering/proxy policy, or disable Chrome's site-loading of the affected feature where a kill-switch enterprise policy exists; the trade-off is reduced functionality on legitimate sites and incomplete protection, since the trigger is generic HTML and not a niche feature.
Same weakness CWE-416 – Use After Free
View allSame technique Memory Corruption
View allVendor StatusVendor
SUSE
Severity: High| Product | Status |
|---|---|
| openSUSE Tumbleweed | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-34403
GHSA-6jj2-wcwf-xw53