Description
Use after free in Downloads in Google Chrome on Android prior to 149.0.7827.155 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
Published: 2026-06-17
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A use‑after‑free condition in the Downloads handling of Google Chrome on Android allows a remote attacker to provoke heap corruption by delivering a crafted HTML page. The flaw permits the attacker to potentially execute arbitrary code or cause denial of service if the corruption leads to process takeover. The underlying weakness is a classic heap use‑after‑free (CWE‑416) and memory corruption (CWE‑825).

Affected Systems

All Android devices running Google Chrome versions earlier than 149.0.7827.155 are affected. The vulnerability is present in the stable channel of Chrome on Android and is referenced as a high‑severity issue by Chromium security. Devices with older Chrome installations, such as 149.0.7827.154 and earlier, must be considered vulnerable.

Risk and Exploitability

The estimated EPSS score is below 1 %, indicating that exploitation is uncommon but not impossible. The CVSS score of 8.8 classifies the vulnerability as high severity. The flaw is not currently listed in CISA’s KEV catalog. Given the remote nature of the trigger—an attacker can supply a malicious HTML page—the attack vector is likely via phishing or social engineering. The high Chromium severity suggests significant potential impact if the vulnerability is successfully exploited. The absence of a public exploit in the data set does not preclude future development of such code.

Generated by OpenCVE AI on June 19, 2026 at 13:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Chrome update, version 149.0.7827.155 or newer, using the official Android update channel or the Chrome release blog link.
  • If an update cannot be applied immediately, disable or restrict the Downloads feature so that Chrome does not automatically download or render suspicious content from remote pages.
  • Switch to a different, up‑to‑date browser or enable Chrome’s Safe‑Browsing features to mitigate potential exploitation until a patch is applied.

Generated by OpenCVE AI on June 19, 2026 at 13:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6351-1 chromium security update
History

Fri, 19 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Title chromium-browser: chromium-browser: Use after free in Downloads
Weaknesses CWE-825
References
Metrics threat_severity

None

threat_severity

Important


Thu, 18 Jun 2026 21:45:00 +0000

Type Values Removed Values Added
Title Use‑After‑Free in Chrome Downloads on Android Leading to Heap Corruption

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Title Use‑After‑Free in Chrome Downloads on Android Leading to Heap Corruption
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Wed, 17 Jun 2026 07:00:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Wed, 17 Jun 2026 05:15:00 +0000

Type Values Removed Values Added
Description Use after free in Downloads in Google Chrome on Android prior to 149.0.7827.155 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
Weaknesses CWE-416
References

cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-18T03:55:25.605Z

Reserved: 2026-06-16T19:38:28.576Z

Link: CVE-2026-12452

cve-icon Vulnrichment

Updated: 2026-06-17T13:03:46.514Z

cve-icon NVD

No data.

cve-icon Redhat

Severity : Important

Publid Date: 2026-06-17T01:38:17Z

Links: CVE-2026-12452 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-19T13:45:05Z

Weaknesses