Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Network-delivered media (AV:N/AC:L/PR:N) but victim must load the crafted video (UI:R); heap corruption yields high C/I/A within the unchanged renderer scope (S:U).
Primary rating from Vendor (google).
CVSS VectorVendor: google
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionCVE.org
Out of bounds read and write in Codecs in Google Chrome prior to 150.0.7871.115 allowed a remote attacker to potentially exploit heap corruption via a crafted video file. (Chromium security severity: High)
AnalysisAI
Heap corruption in Google Chrome's Codecs component allows a remote attacker to trigger out-of-bounds read and write operations by luring a victim to open or play a crafted video file, affecting all desktop builds prior to 150.0.7871.115. Rated High by Chromium and CVSS 8.8, it requires user interaction (viewing malicious media) but no privileges, and combines information disclosure with potential memory corruption that could lead to code execution. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the victim to load or play a crafted, malicious video file in an unpatched Chrome desktop build prior to 150.0.7871.115 - the CVSS UI:R metric confirms user interaction (navigating to attacker content or opening the media) is mandatory, which is the primary limiting factor. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H = 8.8) signals a network-reachable, low-complexity, unauthenticated flaw with high confidentiality, integrity, and availability impact, gated only by user interaction (UI:R) - the user must load malicious media. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker hosts a web page or embeds an ad containing a maliciously crafted video file and entices a victim running an unpatched Chrome (<150.0.7871.115) to visit it. When Chrome's Codecs component decodes the video, the malformed stream triggers out-of-bounds read/write, corrupting heap memory and potentially enabling information disclosure or code execution in the renderer. … |
| Remediation | Vendor-released patch: update Google Chrome to 150.0.7871.115 or later on all desktop platforms via the built-in updater (Settings > About Chrome) followed by a browser relaunch to load the fix, per the Chrome Releases advisory at https://chromereleases.googleblog.com/2026/07/stable-channel-update-for-desktop_01162222768.html. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: issue an emergency security alert and confirm Chrome deployment channels. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-125 – Out-of-bounds Read
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42485
GHSA-c9x3-cmj9-8pxm