Skip to main content

Google Chrome EUVDEUVD-2026-40473

| CVE-2026-13787 HIGH
Use After Free (CWE-416)
2026-06-30 chrome-cve-admin@google.com GHSA-v8j9-fq97-r26h
8.1
CVSS 3.1 · Vendor: google
Share

Severity by source

Vendor (google) PRIMARY
8.1 HIGH
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
8.1 HIGH

Remote network-triggered use-after-free needing no auth or interaction (AV:N/PR:N/UI:N) but a hard-to-win memory race (AC:H); RCE yields total C/I/A impact.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
SUSE
HIGH
qualitative

Primary rating from Vendor (google).

CVSS VectorVendor: google

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
Jul 01, 2026 - 17:36 vuln.today
CVSS changed
Jul 01, 2026 - 15:22 NVD
8.1 (HIGH)
CVE Published
Jun 30, 2026 - 23:16 cve.org
HIGH 8.1
CVE Published
Jun 30, 2026 - 23:16 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

Use after free in Chromoting in Google Chrome on Windows prior to 150.0.7871.47 allowed a remote attacker to execute arbitrary code via malicious network traffic. (Chromium security severity: Critical)

AnalysisAI

Remote code execution in Google Chrome's Chromoting (Chrome Remote Desktop) component on Windows affects all desktop builds prior to 150.0.7871.47, where a use-after-free (CWE-416) lets a remote attacker corrupt memory via malicious network traffic. Google rates the Chromium severity Critical, and a vendor patch is available, but there is no public exploit identified at time of analysis and EPSS is low at 0.24%. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Reach victim Chromoting session
Delivery
Send crafted network traffic
Exploit
Trigger use-after-free in Chromoting
Execution
Reclaim freed heap object
Persist
Hijack control flow
Impact
Execute arbitrary code in Chrome process

Vulnerability AssessmentAI

Exploitation Exploitation requires the Chromoting (Chrome Remote Desktop) code path to be reachable and active, and the attacker must deliver malicious network traffic to that component on a Windows Chrome build prior to 150.0.7871.47. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The signals are mixed and lean toward moderate real-world priority despite the Critical Chromium label. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who can reach a victim's Chrome Remote Desktop / Chromoting session sends specially crafted network traffic that triggers the use-after-free, reclaiming the freed object to gain control of program flow and execute arbitrary code in the Chrome process on Windows. No user interaction or authentication is required per the CVSS vector, but the high attack complexity means the attacker must reliably win a memory-corruption race, so exploitation is non-trivial. …
Remediation Vendor-released patch: 150.0.7871.47 - update Google Chrome to 150.0.7871.47 or later on Windows via the built-in updater (chrome://settings/help) and relaunch to apply, or push the update through enterprise management. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Deploy Chrome version 150.0.7871.47 or later to all Windows endpoints using Chrome Remote Desktop via your patch management system with priority escalation. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

SUSE

Severity: Important
Product Status
SUSE Package Hub 15 SP7 Fixed
openSUSE Tumbleweed Fixed
SUSE Package Hub 15 SP7 Affected

Share

EUVD-2026-40473 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy