Description
Use after free in WebAuthentication in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who convinced a user to engage in specific UI gestures to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
Published: 2026-06-04
Score: 7.5 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A use‑after‑free flaw exists in the WebAuthentication component of Google Chrome, where a remote attacker can trigger heap corruption by delivering a specially crafted HTML page that the user must view and interact with through specific UI gestures. The CVE description notes only the potential exploitation of heap corruption, and does not state that code execution or other specific consequences are guaranteed.

Affected Systems

Google Chrome versions prior to 149.0.7827.53 on all supported operating systems are affected. The issue was reported for the stable channel and applies to desktop installations that have this build or older.

Risk and Exploitability

The CVSS base score of 7.5 indicates a high risk level, but no EPSS score is available and the vulnerability is not listed in the CISA KEV catalog, implying no confirmed exploitation in the wild. The likely attack vector involves a social‑engineering scenario where an attacker lures a user to a malicious web page that presents specific UI gestures, such as button clicks or scrolling, to trigger the vulnerability. Although proof of exploitation has not been documented, the possibility of heap corruption warrants prompt attention.

Generated by OpenCVE AI on June 5, 2026 at 05:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Google Chrome to version 149.0.7827.53 or later to apply the WebAuthentication fix.
  • If immediate updating is not feasible, deploy an enterprise policy that disables the WebAuthentication component until the patch is available.
  • Educate users on phishing and social‑engineering tactics to reduce the likelihood of interacting with malicious web pages that could trigger the vulnerability.

Generated by OpenCVE AI on June 5, 2026 at 05:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 05 Jun 2026 06:00:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Fri, 05 Jun 2026 05:45:00 +0000

Type Values Removed Values Added
Title Heap Corruption via WebAuthentication in Chrome

Fri, 05 Jun 2026 03:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 05 Jun 2026 02:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Thu, 04 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Use after free in WebAuthentication in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who convinced a user to engage in specific UI gestures to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
Weaknesses CWE-416
References

Subscriptions

Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-05T01:44:36.678Z

Reserved: 2026-06-04T17:06:01.150Z

Link: CVE-2026-10906

cve-icon Vulnrichment

Updated: 2026-06-05T01:44:32.854Z

cve-icon NVD

Status : Received

Published: 2026-06-04T23:16:52.443

Modified: 2026-06-05T02:16:53.853

Link: CVE-2026-10906

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T05:45:32Z

Weaknesses