Description
Use after free in WebRTC in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Published: 2026-06-04
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a use‑after‑free flaw in the WebRTC component of Google Chrome. It allows a remote attacker to construct a malicious HTML page that triggers the flaw and results in execution of arbitrary code. The flaw falls under CWE‑416 (Use After Free).

Affected Systems

Google Chrome desktop browsers running versions earlier than 149.0.7827.53 are affected. Any user running a vulnerable Chrome instance could be targeted by a malicious webpage.

Risk and Exploitability

The vulnerability is classified as high severity. No EPSS score is available and the issue is not listed in CISA’s KEV catalog. The likely attack vector is a crafted web page visited in the browser; because the execution occurs within the Chrome sandbox the impact is limited to the sandbox, but it still permits arbitrary code execution that can compromise the underlying system if privilege escalation is achieved.

Generated by OpenCVE AI on June 5, 2026 at 05:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Google Chrome to version 149.0.7827.53 or later.
  • Ensure that Chrome’s automatic update mechanism is enabled so that the patch is applied promptly.
  • If an immediate upgrade cannot be performed, disable or restrict WebRTC by configuring the Chromium policy setting "WebRTC" to false or using the chrome://flags interface to block WebRTC functionality until the security update is available.

Generated by OpenCVE AI on June 5, 2026 at 05:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 05 Jun 2026 06:00:00 +0000

Type Values Removed Values Added
Title Use‑After‑Free in Chrome WebRTC Enables Remote Code Execution

Fri, 05 Jun 2026 04:30:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Fri, 05 Jun 2026 02:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 04 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Use after free in WebRTC in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Weaknesses CWE-416
References

Subscriptions

Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-05T00:32:11.611Z

Reserved: 2026-06-04T17:06:11.935Z

Link: CVE-2026-10943

cve-icon Vulnrichment

Updated: 2026-06-05T00:26:13.655Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-06-04T23:16:56.890

Modified: 2026-06-05T15:02:34.977

Link: CVE-2026-10943

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T05:45:33Z

Weaknesses