Description
Use after free in Views in Google Chrome prior to 148.0.7778.216 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code via a crafted HTML page. (Chromium security severity: High)
Published: 2026-05-28
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Use‑after‑free in the Views component of Google Chrome allows a remote attacker who convinces a user to perform specific UI gestures to execute arbitrary code via a crafted HTML page. The flaw can lead to full code execution with the same privileges as the user, and it is classified as high severity by Chromium.

Affected Systems

Google Chrome browsers with releases earlier than 148.0.7778.216 are vulnerable. The vulnerability exists in the stable channel of the desktop application and impacts the Views rendering engine.

Risk and Exploitability

Based on the description, the attack vector requires user interaction—an attacker must persuade a user to engage in certain UI gestures, implying that exploitation depends on social engineering or malicious web content. The CVSS score of 7.5 indicates high severity, while the EPSS score of less than 1% suggests a low probability of exploitation in the general population. The flaw is not listed in the CISA KEV catalog, and there is no evidence of known public exploitation. Nonetheless, the combination of high impact and the possibility of user‑style exploitation warrants prompt remediation.

Generated by OpenCVE AI on May 29, 2026 at 14:09 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Google Chrome to version 148.0.7778.216 or later.
  • Enable automatic updates to receive security patches as soon as they are released.
  • Avoid visiting untrusted or suspicious websites that may host malicious HTML until the browser is updated.

Generated by OpenCVE AI on May 29, 2026 at 14:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 29 May 2026 12:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Fri, 29 May 2026 12:15:00 +0000

Type Values Removed Values Added
Title Use-After-Free in Chrome Views Enabling Remote Code Execution chromium-browser: Use after free in Views
Weaknesses CWE-825
References
Metrics threat_severity

None

 cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

threat_severity

Important

Thu, 28 May 2026 23:45:00 +0000

Type Values Removed Values Added
Title Use-After-Free in Chrome Views Enabling Remote Code Execution
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Thu, 28 May 2026 22:45:00 +0000

Type Values Removed Values Added
Description Use after free in Views in Google Chrome prior to 148.0.7778.216 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code via a crafted HTML page. (Chromium security severity: High)
Weaknesses CWE-416
References

Subscriptions

Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-05-30T03:55:25.880Z

Reserved: 2026-05-28T17:25:11.979Z

Link: CVE-2026-10003

cve-icon Vulnrichment

Updated: 2026-05-29T10:20:46.694Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-28T23:16:42.083

Modified: 2026-05-29T12:16:24.800

Link: CVE-2026-10003

cve-icon Redhat

Severity : Important

Publid Date: 2026-05-27T00:00:00Z

Links: CVE-2026-10003 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-29T14:15:37Z

Weaknesses