Description
Use after free in WebRTC in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Published: 2026-06-04
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An out‑of‑bounds memory access in Chrome's WebRTC implementation allows a malicious web page to trigger a use‑after‑free and run arbitrary code within the browser sandbox. The flaw can be abused to overwrite or corrupt critical data structures in the JavaScript engine, enabling code execution with sandboxed privileges. The associated weakness is a classic use‑after‑free identified as CWE-416.

Affected Systems

Google Chrome browsers running a version older than 149.0.7827.53 on any supported platform are vulnerable. This includes Windows, macOS, Linux, Android, and iOS installations that have not yet applied the patch contained in the 149.0.7827.53 release.

Risk and Exploitability

Chromium rates the vulnerability as high severity with a CVSS score of 8.8, and the browser is commonly exposed to Internet content, making the attack vector remote. No EPSS score is available, and the issue is not listed in the CISA KEV catalog, but the ability to achieve arbitrary code execution makes it a high‑risk exposure that can be leveraged by an attacker controlling a web page or by phishing or drive‑by attacks.

Generated by OpenCVE AI on June 5, 2026 at 05:49 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Google Chrome to version 149.0.7827.53 or later.
  • Disable WebRTC globally through enterprise policy or browser settings if an immediate patch is unavailable.
  • Use a content security policy that restricts or prohibits active network connections from the renderer process to mitigate potential exploitation of similar memory safety issues.

Generated by OpenCVE AI on June 5, 2026 at 05:49 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 05 Jun 2026 06:15:00 +0000

Type Values Removed Values Added
Title Use-After-Free Vulnerability in Chrome WebRTC Enabling Remote Code Execution

Fri, 05 Jun 2026 02:00:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Fri, 05 Jun 2026 01:30:00 +0000

Type Values Removed Values Added
Title Use-After-Free Vulnerability in Chrome WebRTC Enabling Remote Code Execution
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 04 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Use after free in WebRTC in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Weaknesses CWE-416
References

Subscriptions

Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-05T00:33:10.741Z

Reserved: 2026-06-04T17:06:00.363Z

Link: CVE-2026-10903

cve-icon Vulnrichment

Updated: 2026-06-05T00:26:31.394Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-06-04T23:16:52.050

Modified: 2026-06-05T15:02:34.977

Link: CVE-2026-10903

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T06:00:06Z

Weaknesses