Description
Use after free in Cast Streaming in Google Chrome prior to 149.0.7827.53 allowed an attacker on the local network segment to execute arbitrary code via malicious network traffic. (Chromium security severity: Critical)
Published: 2026-06-04
Score: 8.8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Use after free in the Cast Streaming module of Google Chrome creates a memory corruption flaw that, when triggered by crafted network packets on the local segment, lets an attacker run arbitrary code with the privileges of the browser process. The flaw is a classic use‑after‑free (CWE‑416) that directly compromises integrity and availability of the affected systems, enabling a local network attacker to take control of the victim’s computing environment.

Affected Systems

The vulnerability affects Google Chrome versions earlier than 149.0.7827.53 on desktop platforms. All users running a pre‑149.0.7827.53 build of Chrome are potentially vulnerable when exposed to malicious traffic on a local network.

Risk and Exploitability

Chromium labels the flaw as Critical, underscoring the severity. With no publicly available EPSS score and the vulnerability not listed in the CISA KEV catalog, the exact exploitation probability is unclear. Attackers would need proximity to the victim’s local network as the flaw is triggered by traffic to Cast Streaming communication channels; the absence of known public exploits makes this a moderate but non‑zero risk for environments still running the affected Chrome build.

Generated by OpenCVE AI on June 5, 2026 at 05:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Google Chrome to the latest stable release (149.0.7827.53 or newer) on all affected machines.
  • Disable or block the Cast Streaming feature by setting the appropriate policy or modifying Chrome flags if an update cannot be applied immediately.
  • Enforce network segmentation or firewall rules to prevent untrusted local devices from reaching the Cast Streaming ports, limiting the attack surface while a patch is applied.

Generated by OpenCVE AI on June 5, 2026 at 05:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 05 Jun 2026 02:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 05 Jun 2026 02:15:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Fri, 05 Jun 2026 01:45:00 +0000

Type Values Removed Values Added
Title Use After Free in Chrome Cast Streaming Allows Local Network Code Execution

Thu, 04 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Use after free in Cast Streaming in Google Chrome prior to 149.0.7827.53 allowed an attacker on the local network segment to execute arbitrary code via malicious network traffic. (Chromium security severity: Critical)
Weaknesses CWE-416
References

Subscriptions

Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-05T01:39:35.317Z

Reserved: 2026-06-04T17:05:56.434Z

Link: CVE-2026-10888

cve-icon Vulnrichment

Updated: 2026-06-05T01:39:27.329Z

cve-icon NVD

Status : Received

Published: 2026-06-04T23:16:50.250

Modified: 2026-06-05T02:16:51.500

Link: CVE-2026-10888

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T05:30:32Z

Weaknesses