Description
Use after free in Views in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
Published: 2026-06-04
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A use‑after‑free vulnerability in the Views component of Google Chrome, present in all versions before 149.0.7827.53, permits a remote attacker who has already compromised the renderer process to craft a malicious HTML page that triggers a sandbox escape. The flaw, classified as CWE‑416 and CWE‑825, can lead to the execution of arbitrary code on the victim’s system, thereby undermining both confidentiality and integrity.

Affected Systems

Google Chrome users running any version older than 149.0.7827.53 on Windows, macOS, or Linux are affected. The vulnerability specifically targets the renderer process of Chrome’s stable channel prior to the noted patch release.

Risk and Exploitability

Chromium rates this issue as high severity. The CVSS score of 8.8 indicates a high impact, and the EPSS score is less than 1%, reflecting a low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires an attacker to already control the renderer process, inferred that this generally involves delivering a specially crafted HTML payload through a compromised site or another exploit. While the attack vector is remote and can be triggered without further user interaction beyond visiting malicious content, the overall risk is considered moderate to high until the affected Chrome versions are updated.

Generated by OpenCVE AI on June 7, 2026 at 14:00 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Google Chrome to at least version 149.0.7827.53 to remove the use‑after‑free flaw.
  • Ensure Chrome’s automatic update mechanism is enabled so future security patches are applied without manual intervention.
  • If an immediate update is not possible, disable or remove extensions that inject content into renderer processes to reduce the attack surface until the vulnerability is patched.

Generated by OpenCVE AI on June 7, 2026 at 14:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6325-1 chromium security update
History

Sun, 07 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Title chromium-browser: Use after free in Views
Weaknesses CWE-825
References
Metrics threat_severity

None

 threat_severity

Important

Sat, 06 Jun 2026 02:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*

Fri, 05 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Title Use‑After‑Free in Google Chrome Views Enables Potential Sandbox Escape via Malicious HTML Page

Fri, 05 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 05 Jun 2026 04:30:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Fri, 05 Jun 2026 03:30:00 +0000

Type Values Removed Values Added
Title Use‑After‑Free in Google Chrome Views Enables Potential Sandbox Escape via Malicious HTML Page

Thu, 04 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Use after free in Views in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
Weaknesses CWE-416
References

Subscriptions

Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-05T15:24:05.191Z

Reserved: 2026-06-04T17:06:23.201Z

Link: CVE-2026-10988

cve-icon Vulnrichment

Updated: 2026-06-05T15:02:13.560Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-04T23:17:02.210

Modified: 2026-06-06T01:49:05.357

Link: CVE-2026-10988

cve-icon Redhat

Severity : Important

Publid Date: 2026-06-02T00:00:00Z

Links: CVE-2026-10988 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-07T14:15:07Z

Weaknesses