Description
Use after free in WebRTC in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Published: 2026-06-04
Score: 8.8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a use‑after‑free flaw in the WebRTC component of Google Chrome. An attacker can trigger the flaw by serving a specially crafted HTML page, causing Chrome to read and execute memory that has already been freed. This gives the attacker the ability to run arbitrary code inside the browser’s sandbox, potentially allowing them to exfiltrate data or perform actions on the victim’s machine.

Affected Systems

Affected systems are all installations of Google Chrome prior to version 149.0.7827.53. The flaw exists in the stable channel releases published before that version. Users running earlier Chrome versions with WebRTC enabled are vulnerable.

Risk and Exploitability

The flaw leads to a high‑severity condition reflected by a CVSS score of 8.8; the exploitable path requires only the victim to load the malicious page, making the attack vector remote and user‑friendly. No EPSS data is available, and the issue is not listed in the CISA KEV catalog, but the potential impact justifies timely remediation. An unpatched user can be compromised through a web page or email attachment leading to code execution within the browser sandbox.

Generated by OpenCVE AI on June 5, 2026 at 04:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Google Chrome to version 149.0.7827.53 or later via the standard update mechanism.
  • If immediate update is not possible, disable WebRTC in Chrome through chrome://flags or an enterprise policy to stop the vulnerable component from executing.
  • Avoid visiting untrusted sites and keep other browser extensions up to date; use a reputable security solution to block malicious web content.

Generated by OpenCVE AI on June 5, 2026 at 04:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 05 Jun 2026 03:00:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Fri, 05 Jun 2026 02:15:00 +0000

Type Values Removed Values Added
Title Use‑After‑Free in Chrome WebRTC Leads to Remote Code Execution

Fri, 05 Jun 2026 01:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 04 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Use after free in WebRTC in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Weaknesses CWE-416
References

Subscriptions

Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-05T00:32:26.313Z

Reserved: 2026-06-04T17:06:11.022Z

Link: CVE-2026-10939

cve-icon Vulnrichment

Updated: 2026-06-05T00:26:18.528Z

cve-icon NVD

Status : Received

Published: 2026-06-04T23:16:56.443

Modified: 2026-06-05T02:16:58.220

Link: CVE-2026-10939

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T04:45:32Z

Weaknesses