Description
Use after free in Views in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who convinced a user to engage in specific UI gestures to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium)
Published: 2026-06-04
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a use‑after‑free in Chrome’s Views objects that can be triggered when a user performs certain UI gestures on a crafted HTML page. If exploited, the attacker could corrupt memory on the heap and potentially execute arbitrary code or crash the browser. This flaw is classified as CWE‑416 and CWE‑825.

Affected Systems

Google Chrome on desktop platforms, versions earlier than 149.0.7827.53, including the stable channel.

Risk and Exploitability

An EPSS score of < 1% indicates a very low probability of exploitation, and the CVSS score is 8.8, but the flaw is not listed in the CISA KEV catalog, so the Chromium security severity is Medium. Exploitation requires the user to interact with a malicious page and perform specific UI gestures, so the attack vector is social engineering. If successful, heap corruption could lead to remote code execution, posing a significant risk to confidentiality, integrity, and availability.

Generated by OpenCVE AI on June 7, 2026 at 14:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install Chrome update 149.0.7827.53 or later to incorporate the fix for the use‑after‑free vulnerability.
  • If an update is temporarily unavailable, configure enterprise policy to block or restrict the execution of the affected feature, such as disabling relevant Chrome flags or enforcing app‑isolation policies that prevent the Views module from being accessed by untrusted content.
  • Conduct user awareness training to discourage interaction with unsolicited or dubious web pages and ensure users do not perform the specific UI gestures on suspicious sites.

Generated by OpenCVE AI on June 7, 2026 at 14:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6325-1 chromium security update
History

Sun, 07 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Title chromium-browser: Use after free in Views
Weaknesses CWE-825
References
Metrics threat_severity

None

 threat_severity

Moderate

Fri, 05 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows
CPEs cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows

Fri, 05 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Title Use After Free in Chrome Views Allows Heap Corruption via Crafted HTML Page

Fri, 05 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 05 Jun 2026 07:00:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Fri, 05 Jun 2026 03:15:00 +0000

Type Values Removed Values Added
Title Use After Free in Chrome Views Allows Heap Corruption via Crafted HTML Page

Thu, 04 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Use after free in Views in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who convinced a user to engage in specific UI gestures to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium)
Weaknesses CWE-416
References

Subscriptions

Apple Macos
Google Chrome
Linux Linux Kernel
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-05T16:16:23.004Z

Reserved: 2026-06-04T17:06:36.045Z

Link: CVE-2026-11042

cve-icon Vulnrichment

Updated: 2026-06-05T15:02:48.874Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-04T23:17:08.533

Modified: 2026-06-05T20:43:20.073

Link: CVE-2026-11042

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-02T00:00:00Z

Links: CVE-2026-11042 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-07T14:30:16Z

Weaknesses