Severity by source
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Victim must open crafted HTML (UI:R) and the vector is local per the description (AV:L); no privileges needed (PR:N), and renderer code execution yields high C/I/A within an unchanged scope.
Primary rating from Vendor (Chrome).
CVSS VectorVendor: Chrome
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionCVE.org
Use after free in WebView in Google Chrome on Android prior to 149.0.7827.197 allowed a local attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
AnalysisAI
Arbitrary code execution within the renderer sandbox affects Google Chrome on Android before 149.0.7827.197 via a use-after-free defect in the WebView component, reachable when a victim renders a crafted HTML page. The flaw lets an attacker corrupt freed memory in the rendering process to gain code execution confined to the sandbox; CVSS is 7.8 (High) and Chromium rates it High severity. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the victim to open or render a crafted HTML page in the affected Chrome/Android WebView (UI:R - user interaction is mandatory), and per CVSS the vector is local (AV:L) rather than remotely network-triggered without interaction, framing this as a 'local attacker' delivering crafted content. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are moderately consistent and point to a real but not emergency-grade issue. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker crafts a malicious HTML page that triggers the WebView use-after-free and lures or directs a victim into opening it (for example in a Chrome tab or an in-app WebView), after which the freed-memory corruption is leveraged to run arbitrary code inside the renderer sandbox. Given AV:L and UI:R, success requires the user to actually render the malicious content rather than passive network exposure; no public exploit code is currently identified, so weaponization effort would fall on the attacker. |
| Remediation | Vendor-released patch: 149.0.7827.197 - upgrade Google Chrome (and any embedded WebView/Chrome on Android) to 149.0.7827.197 or later, which is the primary and recommended fix per Google's Chrome Releases advisory (https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0482630350.html); on Android this also means ensuring the Android System WebView and Chrome apps are updated via the Play Store. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Notify all users with Android devices to update Chrome to version 149.0.7827.197 or later through the Google Play Store; verify update availability in your MDM if applicable. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-416 – Use After Free
View allSame technique Memory Corruption
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39049
GHSA-7898-6x7p-pr8g