Skip to main content

Google Chrome EUVDEUVD-2026-39041

| CVE-2026-13026 HIGH
Use After Free (CWE-416)
2026-06-24 Chrome GHSA-mmm9-39xr-fcc3
8.8
CVSS 3.1 · Vendor: Chrome
Share

Severity by source

Vendor (Chrome) PRIMARY
8.8 HIGH
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
vuln.today AI
8.8 HIGH

Remote crafted page (AV:N) needs only a victim visit (UI:R) with no auth (PR:N); a UAF enabling code execution yields high C/I/A within the unchanged browser scope.

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Red Hat
8.8 HIGH
qualitative

Primary rating from Vendor (Chrome).

CVSS VectorVendor: Chrome

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
Jun 24, 2026 - 21:32 vuln.today
CVSS changed
Jun 24, 2026 - 20:22 NVD
8.8 (HIGH)
CVE Published
Jun 24, 2026 - 18:43 cve.org
UNKNOWN (no severity yet)
CVE Published
Jun 24, 2026 - 18:43 cve.org
HIGH 8.8

DescriptionCVE.org

Use after free in Digital Credentials in Google Chrome on Mac prior to 149.0.7827.197 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

AnalysisAI

Heap corruption via use-after-free in Google Chrome's Digital Credentials component on macOS allows a remote attacker to potentially execute code by luring a victim to a crafted HTML page, affecting Chrome builds prior to 149.0.7827.197. The flaw was reported internally by Google's Chrome team, and per CISA's SSVC framework exploitation is currently 'none', so this is no public exploit identified at time of analysis despite a high (8.8) CVSS score requiring user interaction. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Lure victim to crafted page
Delivery
Page invokes Digital Credentials API
Exploit
Trigger use-after-free / heap corruption
Execution
Groom heap and reuse freed object
Impact
Achieve code execution in browser

Vulnerability AssessmentAI

Exploitation Exploitation requires the victim to open a crafted HTML page in Google Chrome on macOS at a version below 149.0.7827.197 (UI:R - user interaction is the key limiting factor; no authentication is needed, PR:N). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals conflict on urgency. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker hosts a crafted HTML page exercising the Digital Credentials API and lures a Chrome-on-Mac user to it via phishing link, malicious ad, or compromised site. Loading the page triggers the use-after-free, corrupting the heap; with a reliable allocation grooming primitive the attacker leverages this toward arbitrary code execution in the browser. …
Remediation Vendor-released patch: Google Chrome 149.0.7827.197 - update Chrome to 149.0.7827.197 or later on macOS via Chrome's built-in updater (chrome://settings/help) and relaunch to apply, per the Stable channel advisory at https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0482630350.html. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Inventory all macOS systems running Chrome versions prior to 149.0.7827.197 and segregate highest-risk users if necessary. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

Share

EUVD-2026-39041 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy