EUVD-2026-35233
GHSA-q8r9-522f-rhg7
Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionCVE.org
Use after free in Bluetooth in Google Chrome on Mac prior to 149.0.7827.103 allowed a remote attacker to execute arbitrary code via a malicious peripheral. (Chromium security severity: Critical)
AnalysisAI
Remote code execution in Google Chrome on macOS prior to 149.0.7827.103 stems from a use-after-free condition in the browser's Bluetooth subsystem, rated Critical by Chromium's internal severity scale and CVSS 8.8 by NVD. A remote attacker operating a malicious Bluetooth peripheral can trigger memory corruption to execute arbitrary code in the browser process after the victim performs minimal interaction. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the victim run Google Chrome on macOS at a version below 149.0.7827.103, that the victim grant Web Bluetooth access to attacker-controlled content (UI:R in the CVSS vector - the chooser dialog and pairing approval are user-driven), and that an attacker-controlled Bluetooth peripheral be reachable to the victim's machine, either physically within BLE range or via an emulated peripheral exposed through a compromised local agent. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H supports a high severity reading: network attack vector, low complexity, no privileges required, but user interaction is required (UI:R) - almost certainly the victim must grant Bluetooth pairing/permission to a malicious peripheral or visit a malicious page that initiates the Web Bluetooth chooser. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker hosts a malicious page that calls navigator.bluetooth.requestDevice() and lures a macOS Chrome user into selecting an attacker-controlled peripheral (or a peripheral that impersonates an expected device) from the chooser dialog. Once paired, the malicious peripheral returns crafted GATT responses that drive the vulnerable code path in Chrome's Bluetooth handling, freeing an object while a dangling reference remains, then reclaiming the slot to hijack a virtual call and execute code in the renderer or browser process. … |
| Remediation | Vendor-released patch: Google Chrome 149.0.7827.103 for macOS - upgrade immediately via the Chrome Stable channel by relaunching the browser or pushing the update through MDM/enterprise management (see https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0153744567.html). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Audit all macOS systems running Chrome and confirm MDM/auto-update coverage status; create deployment plan for Chrome 149.0.7827.103 and later. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Vendor StatusVendor
SUSE
Severity: Critical| Product | Status |
|---|---|
| openSUSE Leap 16.0 | Fixed |
| openSUSE Tumbleweed | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today