Description
Use after free in WebRTC in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Published: 2026-06-04
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An out‑of‑bounds memory access in Chrome's WebRTC implementation allows a malicious web page to trigger a use‑after‑free and run arbitrary code within the browser sandbox. The flaw can be abused to overwrite or corrupt critical data structures in the JavaScript engine, enabling code execution with sandboxed privileges. The associated weaknesses are use‑after‑free (CWE‑416) and an additional flaw in handling allocated resources identified as CWE‑825.

Affected Systems

Google Chrome browsers running a version older than 149.0.7827.53 on any supported platform are vulnerable. This includes Windows, macOS, Linux, Android, and iOS installations that have not yet applied the patch contained in the 149.0.7827.53 release.

Risk and Exploitability

Chromium rates the vulnerability as high severity with a CVSS score of 8.8, and the browser is commonly exposed to Internet content, making the attack vector remote. The EPSS score is less than 1 % and the issue is not listed in the CISA KEV catalog, but the ability to achieve arbitrary code execution makes it a high‑risk exposure that can be leveraged by an attacker controlling a web page or by phishing or drive‑by attacks.

Generated by OpenCVE AI on June 7, 2026 at 13:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Google Chrome to version 149.0.7827.53 or later.
  • Disable WebRTC globally through enterprise policy or browser settings if an immediate patch is unavailable.
  • Use a content security policy that restricts or prohibits active network connections from the renderer process to mitigate potential exploitation of similar memory safety issues.

Generated by OpenCVE AI on June 7, 2026 at 13:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6325-1 chromium security update
History

Sun, 07 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Title chromium-browser: Use after free in WebRTC
Weaknesses CWE-825
References
Metrics threat_severity

None

 threat_severity

Important

Fri, 05 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows
CPEs cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows

Fri, 05 Jun 2026 06:15:00 +0000

Type Values Removed Values Added
Title Use-After-Free Vulnerability in Chrome WebRTC Enabling Remote Code Execution

Fri, 05 Jun 2026 02:00:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Fri, 05 Jun 2026 01:30:00 +0000

Type Values Removed Values Added
Title Use-After-Free Vulnerability in Chrome WebRTC Enabling Remote Code Execution
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 04 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Use after free in WebRTC in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Weaknesses CWE-416
References

Subscriptions

Apple Macos
Google Chrome
Linux Linux Kernel
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-05T00:33:10.741Z

Reserved: 2026-06-04T17:06:00.363Z

Link: CVE-2026-10903

cve-icon Vulnrichment

Updated: 2026-06-05T00:26:31.394Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-04T23:16:52.050

Modified: 2026-06-05T20:15:35.520

Link: CVE-2026-10903

cve-icon Redhat

Severity : Important

Publid Date: 2026-06-02T00:00:00Z

Links: CVE-2026-10903 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-07T13:30:26Z

Weaknesses