Description
Use after free in FullScreen in Google Chrome on Windows prior to 149.0.7827.103 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
Published: 2026-06-08
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A use‑after‑free bug in the FullScreen implementation of Google Chrome on Windows can lead to heap corruption when a malicious web page is rendered. The flaw may allow a remote attacker to corrupt the browser’s memory, potentially leading to arbitrary code execution or other destructive effects. The weakness is categorized as CWE‑416, a use‑after‑free vulnerability.

Affected Systems

The vulnerability affects Google Chrome versions on Windows that are older than 149.0.7827.103. Users running those releases are exposed until the problem is patched by the next update.

Risk and Exploitability

Because the bug can be triggered from a crafted HTML page, remote attackers can target anyone who visits a malicious site. The CVSS score is 8.8, indicating high severity; the CVE is not listed in CISA’s KEV catalog and no EPSS score is available, so the exact exploitation likelihood is unknown, but the flaw’s high impact warrants prioritizing a patch. No public exploit has been reported yet, yet the nature of the bug suggests it could be weaponized quickly.

Generated by OpenCVE AI on June 9, 2026 at 12:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install Google Chrome version 149.0.7827.103 or newer immediately
  • Enable automatic updates in Chrome or through the operating system so future patches are applied without manual action
  • If an update cannot be applied right away, configure a Chrome policy that disables the FullScreen API to reduce the attack surface

Generated by OpenCVE AI on June 9, 2026 at 12:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 09 Jun 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Microsoft
Microsoft windows
CPEs cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft windows

Tue, 09 Jun 2026 13:15:00 +0000

Type Values Removed Values Added
Title Use After Free in FullScreen Leading to Heap Corruption in Chrome

Tue, 09 Jun 2026 11:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 09 Jun 2026 01:45:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Tue, 09 Jun 2026 00:45:00 +0000

Type Values Removed Values Added
Title Use After Free in FullScreen Leading to Heap Corruption in Chrome

Mon, 08 Jun 2026 23:45:00 +0000

Type Values Removed Values Added
Description Use after free in FullScreen in Google Chrome on Windows prior to 149.0.7827.103 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
Weaknesses CWE-416
References

Subscriptions

Google Chrome
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-09T10:26:20.949Z

Reserved: 2026-06-08T21:33:39.072Z

Link: CVE-2026-11648

cve-icon Vulnrichment

Updated: 2026-06-09T10:26:17.624Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-09T00:16:47.700

Modified: 2026-06-09T14:58:01.237

Link: CVE-2026-11648

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T13:00:05Z

Weaknesses