Description
Use after free in Cast Streaming in Google Chrome prior to 149.0.7827.53 allowed an attacker on the local network segment to execute arbitrary code via malicious network traffic. (Chromium security severity: Critical)
Published: 2026-06-04
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Use after free in the Cast Streaming module of Google Chrome creates a memory corruption flaw that, when triggered by crafted network packets on the local segment, lets an attacker run arbitrary code with the privileges of the browser process. The flaw is a classic use‑after‑free (CWE‑416) and improper handling of system resources (CWE‑825) that directly compromises integrity and availability of the affected systems, enabling a local network attacker to take control of the victim’s computing environment.

Affected Systems

The vulnerability affects Google Chrome versions earlier than 149.0.7827.53 on desktop platforms. All users running a pre‑149.0.7827.53 build of Chrome are potentially vulnerable when exposed to malicious traffic on a local network.

Risk and Exploitability

Chromium labels the flaw as Critical, underscoring the severity. With a CVSS score of 8.8 and an EPSS score of 0.00012, the exploitation probability is low but nonzero; the vulnerability is not listed in the CISA KEV catalog. Attackers would need proximity to the victim’s local network as the flaw is triggered by traffic to Cast Streaming communication channels; although public exploits are not yet known, the combination of a high CVSS score and low but nonzero EPSS score warrants a moderate to high risk assessment for environments still running the affected Chrome build.

Generated by OpenCVE AI on June 7, 2026 at 14:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Google Chrome to the latest stable release (149.0.7827.53 or newer) on all affected machines.
  • Disable or block the Cast Streaming feature by setting the appropriate policy or modifying Chrome flags if an update cannot be applied immediately.
  • Enforce network segmentation or firewall rules to prevent untrusted local devices from reaching the Cast Streaming ports, limiting the attack surface while a patch is applied.

Generated by OpenCVE AI on June 7, 2026 at 14:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6325-1 chromium security update
History

Sun, 07 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Title Use After Free in Chrome Cast Streaming Allows Local Network Code Execution chromium-browser: Use after free in Cast Streaming
Weaknesses CWE-825
References
Metrics threat_severity

None

 threat_severity

Important

Fri, 05 Jun 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows
CPEs cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows

Fri, 05 Jun 2026 02:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 05 Jun 2026 02:15:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Fri, 05 Jun 2026 01:45:00 +0000

Type Values Removed Values Added
Title Use After Free in Chrome Cast Streaming Allows Local Network Code Execution

Thu, 04 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Use after free in Cast Streaming in Google Chrome prior to 149.0.7827.53 allowed an attacker on the local network segment to execute arbitrary code via malicious network traffic. (Chromium security severity: Critical)
Weaknesses CWE-416
References

Subscriptions

Apple Macos
Google Chrome
Linux Linux Kernel
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-05T01:39:35.317Z

Reserved: 2026-06-04T17:05:56.434Z

Link: CVE-2026-10888

cve-icon Vulnrichment

Updated: 2026-06-05T01:39:27.329Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-04T23:16:50.250

Modified: 2026-06-05T20:14:49.480

Link: CVE-2026-10888

cve-icon Redhat

Severity : Important

Publid Date: 2026-06-02T00:00:00Z

Links: CVE-2026-10888 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-07T14:15:07Z

Weaknesses