Description
Use after free in Omnibox in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who convinced a user to engage in specific UI gestures to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium)
Published: 2026-06-04
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a use-after-free flaw in the Omnibox component of Google Chrome that can lead to heap corruption when a specially crafted HTML page is viewed and the user performs certain UI gestures. If the heap is corrupted, an attacker could potentially execute arbitrary code or cause a denial of service. This weakness is classified as both CWE-416 (Use After Free) and CWE-825 (Heap Corruption).

Affected Systems

Google Chrome versions prior to 149.0.7827.53 on the stable channel are affected. The issue applies to all platforms that ship the impacted browser release; no other products or vendors are listed.

Risk and Exploitability

The CVSS score is 8.8, indicating high severity. The EPSS score is < 1%, suggesting a low likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that the likely attack vector involves a remote attacker delivering a malicious web page that forces a user to engage in specific UI interactions with the Omnibox. The user must visit the page while running the affected Chrome version; the exploit requires user interaction but could lead to arbitrary code execution if the heap corruption is successfully triggered.

Generated by OpenCVE AI on June 7, 2026 at 14:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Google Chrome to version 149.0.7827.53 or later via the browser’s built-in update mechanism.
  • If a patch cannot be applied immediately, consider disabling address-bar autocomplete features via enterprise policy to reduce the attack surface as a temporary measure.
  • Avoid interacting with untrusted web pages that may target the Omnibox; use safe browsing tools or web filters to block malicious content.

Generated by OpenCVE AI on June 7, 2026 at 14:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6325-1 chromium security update
History

Mon, 08 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows
CPEs cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows

Sun, 07 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Title chromium-browser: Use after free in Omnibox
Weaknesses CWE-825
References
Metrics threat_severity

None

 threat_severity

Moderate

Fri, 05 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Title Omnibox Use-After-Free Vulnerability Allowing Heap Corruption in Chrome

Fri, 05 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 05 Jun 2026 06:45:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Fri, 05 Jun 2026 04:15:00 +0000

Type Values Removed Values Added
Title Omnibox Use-After-Free Vulnerability Allowing Heap Corruption in Chrome

Thu, 04 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Use after free in Omnibox in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who convinced a user to engage in specific UI gestures to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium)
Weaknesses CWE-416
References

Subscriptions

Apple Macos
Google Chrome
Linux Linux Kernel
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-05T16:51:11.334Z

Reserved: 2026-06-04T17:10:39.056Z

Link: CVE-2026-11177

cve-icon Vulnrichment

Updated: 2026-06-05T16:49:29.942Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-04T23:17:24.567

Modified: 2026-06-08T14:21:13.517

Link: CVE-2026-11177

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-02T00:00:00Z

Links: CVE-2026-11177 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-07T15:00:13Z

Weaknesses