Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Requires a prior renderer compromise (modeled as PR:L and AC:H for the chained, heap-grooming-dependent precondition) plus loading a crafted page (UI:R); sandbox escape yields scope change with full browser-process impact.
Primary rating from Vendor (google).
CVSS VectorVendor: google
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionCVE.org
Use after free in Ozone in Google Chrome on Linux prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
AnalysisAI
Sandbox escape in Google Chrome on Linux (versions prior to 150.0.7871.47) stems from a use-after-free in Ozone, Chrome's platform abstraction layer for windowing and graphics. An attacker who has already compromised the renderer process can leverage a crafted HTML page to break out of the browser sandbox and gain code execution at the higher-privileged browser-process level. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the attacker to have ALREADY compromised the Chrome renderer process on a Linux host - this is a chained, second-stage sandbox-escape bug, not a standalone entry point. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 score of 9.6 (AV:N/AC:L/PR:N/UI:R/S:C) is driven largely by the scope change (S:C) inherent to a sandbox escape and by network vector with user interaction (visiting a page). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker first compromises the Chrome renderer process on a Linux target using a separate renderer bug (e.g., a V8 or DOM flaw), then serves or continues serving a crafted HTML page that triggers the use-after-free in Ozone. By grooming the freed object's memory, the attacker corrupts browser-process state to escape the sandbox and execute code at browser privilege. … |
| Remediation | Vendor-released patch: update Google Chrome on Linux to 150.0.7871.47 or later, per the Chrome Stable channel update advisory at https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all Linux systems running Google Chrome and document current versions; prioritize endpoints in high-risk roles (finance, healthcare, executive). …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-416 – Use After Free
View allSame technique Memory Corruption
View allVendor StatusVendor
SUSE
Severity: Critical| Product | Status |
|---|---|
| SUSE Package Hub 15 SP7 | Fixed |
| openSUSE Tumbleweed | Fixed |
| SUSE Package Hub 15 SP7 | Affected |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40540
GHSA-684j-2c36-hw8w