Description
Use after free in Media in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium)
Published: 2026-06-04
Score: 8.8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a use‑after‑free flaw (CWE‑416) in Chrome’s Media component that permits a maliciously crafted HTML page to execute arbitrary code within the browser’s sandbox. An attacker could supply a specially constructed page that causes the browser to free and then reuse a memory region, allowing the execution of code supplied by the attacker. The result is remote code execution on the client machine, violating confidentiality, integrity, and availability of the user session, and providing an attacker with the ability to run arbitrary code without sandbox escape prerequisites.

Affected Systems

Google Chrome versions prior to 149.0.7827.53 are affected. The flaw is present in the stable channel and can be triggered by loading a malicious HTML page on any machine running an unpatched instance of Chrome.

Risk and Exploitability

The CVSS score of 8.8 indicates high severity. The EPSS score is not available, but the vulnerability has been reported by Chromium with a Medium severity tag and is not listed in the CISA KEV catalog. The likely attack vector is a malicious webpage sent to the user; the attacker does not need prior access or credentials. The exploit requires the victim to visit a crafted page, after which arbitrary code can run with the privileges of the browser process, granting local compromise.

Generated by OpenCVE AI on June 5, 2026 at 04:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Google Chrome to version 149.0.7827.53 or later using official update channels.
  • If an immediate update is not possible, close all running Chrome instances and disable any remote or unfamiliar web content until the patch is applied.
  • Configure Chrome policies or use enterprise management to block the Media component from loading untrusted content as a temporary mitigation until a patch is available.

Generated by OpenCVE AI on June 5, 2026 at 04:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 05 Jun 2026 04:30:00 +0000

Type Values Removed Values Added
Title Use‑after‑free in Chrome Media Enables Remote Code Execution via Crafted HTML

Fri, 05 Jun 2026 01:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 04 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Use after free in Media in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium)
Weaknesses CWE-416
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-05T00:25:51.817Z

Reserved: 2026-06-04T17:06:56.925Z

Link: CVE-2026-11130

cve-icon Vulnrichment

Updated: 2026-06-05T00:24:18.324Z

cve-icon NVD

Status : Received

Published: 2026-06-04T23:17:19.083

Modified: 2026-06-05T02:17:07.317

Link: CVE-2026-11130

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T04:15:26Z

Weaknesses