Description
Use after free in Views in Google Chrome on Linux prior to 149.0.7827.103 allowed an attacker who convinced a user to install a malicious extension to execute arbitrary code via a crafted Chrome Extension. (Chromium security severity: Critical)
Published: 2026-06-08
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A use‑after‑free bug was discovered in the Views component of Google Chrome on Linux. An attacker can trick a user into installing a specially crafted Chrome extension, which then causes the browser to execute arbitrary code with the same privileges as the Chrome process. The flaw is classified as CWE‑416, and Chromium flags it as Critical severity, indicating that exploitation can lead to full compromise of the affected system.

Affected Systems

The vulnerability affects all Linux‑based installations of Google Chrome with a version earlier than 149.0.7827.103. Any user running those older stable channel releases is at risk if they install extensions from untrusted sources.

Risk and Exploitability

EPSS information is currently unavailable and the vulnerability is not listed in the CISA KEV catalog, but Chromium’s own severity rating reflects the high risk. The CVSS score of 7.5 confirms the vulnerability as high severity. Exploitation requires a social‑engineering step: convincing the user to install a malicious extension. Once the extension is installed, the attacked process can run code at the same level as the browser, enabling full system compromise.

Generated by OpenCVE AI on June 9, 2026 at 02:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Google Chrome to version 149.0.7827.103 or newer on all Linux systems.
  • Configure Chrome’s extension settings or Group Policy so that only extensions from the Chrome Web Store can be installed, and turn off the ability to allow developer mode extensions.
  • After upgrading, review installed extensions for unknown or suspicious packages and remove any that are not officially verified.

Generated by OpenCVE AI on June 9, 2026 at 02:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 09 Jun 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel

Tue, 09 Jun 2026 03:15:00 +0000

Type Values Removed Values Added
Title Use After Free in Chrome Views Leads to Arbitrary Code Execution via Malicious Extension

Tue, 09 Jun 2026 01:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 09 Jun 2026 00:45:00 +0000

Type Values Removed Values Added
Title Use After Free in Chrome Views Leads to Arbitrary Code Execution via Malicious Extension
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Mon, 08 Jun 2026 23:45:00 +0000

Type Values Removed Values Added
Description Use after free in Views in Google Chrome on Linux prior to 149.0.7827.103 allowed an attacker who convinced a user to install a malicious extension to execute arbitrary code via a crafted Chrome Extension. (Chromium security severity: Critical)
Weaknesses CWE-416
References

Subscriptions

Google Chrome
Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-09T03:55:50.576Z

Reserved: 2026-06-08T21:33:37.573Z

Link: CVE-2026-11644

cve-icon Vulnrichment

Updated: 2026-06-09T01:06:43.133Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-09T00:16:47.250

Modified: 2026-06-09T14:57:16.693

Link: CVE-2026-11644

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T03:00:14Z

Weaknesses