Description
Use after free in Extensions in Google Chrome prior to 149.0.7827.155 allowed an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via a crafted Chrome Extension. (Chromium security severity: High)
Published: 2026-06-17
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A use‑after‑free condition in Chrome extensions can corrupt the heap when a malicious extension is installed. This flaw may allow an attacker to cause application crashes or execute arbitrary code, as it falls under CWE‑416.

Affected Systems

Google Chrome browsers running versions prior to 149.0.7827.155 on all supported platforms are affected, regardless of operating system.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity vulnerability. The EPSS score of less than 1% signals a low probability of exploitation in the wild, and the flaw is not listed in CISA’s KEV catalog. The likely attack vector involves convincing a user to install a deceptive extension, after which the invariant‐free bug could be triggered to corrupt memory.

Generated by OpenCVE AI on June 17, 2026 at 17:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Chrome to version 149.0.7827.155 or a later release that fixes the use‑after‑free flaw
  • Remove or disable any Chrome extensions that the user installed through potentially malicious channels
  • Configure enterprise or local Chrome policies to block installation of unverified extensions and enable extension verification

Generated by OpenCVE AI on June 17, 2026 at 17:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 17 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 17 Jun 2026 06:45:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Wed, 17 Jun 2026 05:15:00 +0000

Type Values Removed Values Added
Description Use after free in Extensions in Google Chrome prior to 149.0.7827.155 allowed an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via a crafted Chrome Extension. (Chromium security severity: High)
Weaknesses CWE-416
References

Subscriptions

Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-17T12:59:20.128Z

Reserved: 2026-06-16T19:38:26.066Z

Link: CVE-2026-12445

cve-icon Vulnrichment

Updated: 2026-06-17T12:59:13.695Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-17T06:30:03Z

Weaknesses