Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionCVE.org
Use after free in Views in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who convinced a user to engage in specific UI gestures to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium)
AnalysisAI
Heap corruption in Google Chrome's Views component prior to version 149.0.7827.53 allows a remote attacker to potentially execute code in the renderer when a user is convinced to perform specific UI gestures on a crafted HTML page. The flaw is a use-after-free (CWE-416) carrying a CVSS 8.8 rating, but EPSS is very low at 0.03% (11th percentile) and no public exploit is identified at time of analysis. Google has shipped a patched stable channel build, and Chromium rates the underlying issue as Medium severity.
Technical ContextAI
The defect lives in Chrome's Views UI framework, the C++ layer that renders the browser chrome (menus, dialogs, omnibox, tab strip) and mediates UI events between the user and web content. CWE-416 (Use After Free) means an object in Views is freed while a pointer to it remains reachable; subsequent dereference allows an attacker to influence the contents of the reclaimed heap region and corrupt control or data flow. Because Views runs inside the browser/renderer process and is reached through DOM-triggered UI flows, a crafted HTML page that drives a specific UI gesture (drag, click sequence, focus transition, etc.) can race or re-enter logic that releases an object still in use. The affected CPE family is cpe:2.3:a:google:chrome prior to 149.0.7827.53 on desktop platforms shipped via the Stable channel.
RemediationAI
Vendor-released patch: update Google Chrome to 149.0.7827.53 or later via the Stable channel (Help → About Google Chrome forces an update check and relaunch), as described at https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html. For managed fleets, push the update via Chrome Browser Cloud Management, Group Policy, or Jamf/Intune and verify version compliance; Chromium-based browsers should be updated to the corresponding rebase once published by their vendors, and Electron applications should bump to a Chromium 149.0.7827.53-aligned runtime. No clean configuration workaround eliminates the bug, but interim compensating controls include enabling Site Isolation (default on), keeping the Enhanced Safe Browsing setting on to block known malicious pages (trade-off: sends more telemetry to Google), and for high-risk users routing browsing through a remote browser isolation service until the patch is deployed (trade-off: latency and broken web features).
Use-after-free vulnerability in the DisplayObject class in the ActionScript 3 (AS3) implementation in Adobe Flash Player
V8 in Google Chrome prior to 54.0.2840.90 for Linux, and 54.0.2840.85 for Android, and 54.0.2840.87 for Windows and Mac
Type confusion in V8 in Google Chrome prior to 59.0.3071.86 for Linux, Windows, and Mac, and 59.0.3071.92 for Android, a
The Array.prototype.concat implementation in builtins.cc in Google V8, as used in Google Chrome before 49.0.2623.108, do
Mozilla Firefox before 18.0, Firefox ESR 10.x before 10.0.12 and 17.x before 17.0.2, Thunderbird before 17.0.2, Thunderb
Incorrect handling of complex species in V8 in Google Chrome prior to 57.0.2987.98 for Linux, Windows, and Mac and 57.0.
The Chrome Object Wrapper (COW) implementation in Mozilla Firefox before 16.0, Firefox ESR 10.x before 10.0.8, Thunderbi
An issue was discovered in the Cisco WebEx Extension before 1.0.7 on Google Chrome, the ActiveTouch General Plugin Conta
The XrayWrapper implementation in Mozilla Firefox before 35.0 and SeaMonkey before 2.32 does not properly interact with
The Chrome Object Wrapper (COW) implementation in Mozilla Firefox before 18.0, Firefox ESR 17.x before 17.0.2, Thunderbi
The Web IDL implementation in Mozilla Firefox before 28.0, Firefox ESR 24.x before 24.4, Thunderbird before 24.4, and Se
Use-after-free vulnerability in the BitmapData class in the ActionScript 3 (AS3) implementation in Adobe Flash Player 13
Same weakness CWE-416 – Use After Free
View allSame technique Denial Of Service
View allVendor StatusVendor
SUSE
Severity: Important| Product | Status |
|---|---|
| SUSE Package Hub 15 SP7 | Fixed |
| openSUSE Leap 16.0 | Fixed |
| openSUSE Tumbleweed | Fixed |
| SUSE Package Hub 15 SP7 | Affected |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-34491
GHSA-cmmh-543x-98cr