Description
Use after free in Downloads in Google Chrome on Android prior to 149.0.7827.155 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
Published: 2026-06-17
Score: n/a
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A use‑after‑free condition in the Downloads handling of Google Chrome on Android allows a remote attacker to provoke heap corruption by delivering a crafted HTML page. The flaw permits the attacker to potentially execute arbitrary code or cause denial of service if the corruption leads to process takeover. The underlying weakness is a classic heap use‑after‑free (CWE‑416).

Affected Systems

All Android devices running Google Chrome versions earlier than 149.0.7827.155 are affected. The vulnerability is present in the stable channel of Chrome on Android and is referenced as a high‑severity issue by Chromium security. Devices with older Chrome installations, such as 149.0.7827.154 and earlier, must be considered vulnerable.

Risk and Exploitability

The estimated EPSS score is below 1 %, indicating that exploitation is uncommon but not impossible. The flaw is not currently listed in CISA’s KEV catalog. Given the remote nature of the trigger—an attacker can supply a malicious HTML page—the attack vector is likely via phishing or social engineering. The high Chromium severity suggests significant potential impact if the vulnerability is successfully exploited. The absence of a public exploit in the data set does not preclude future development of such code.

Generated by OpenCVE AI on June 17, 2026 at 17:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Chrome update, version 149.0.7827.155 or newer, using the official Android update channel or the Chrome release blog link.
  • If an update cannot be applied immediately, disable or restrict the Downloads feature so that Chrome does not automatically download or render suspicious content from remote pages.
  • Switch to a different, up‑to‑date browser or enable Chrome’s Safe‑Browsing features to mitigate potential exploitation until a patch is applied.

Generated by OpenCVE AI on June 17, 2026 at 17:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 17 Jun 2026 07:00:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Wed, 17 Jun 2026 05:15:00 +0000

Type Values Removed Values Added
Description Use after free in Downloads in Google Chrome on Android prior to 149.0.7827.155 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
Weaknesses CWE-416
References

Subscriptions

Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-17T13:26:03.569Z

Reserved: 2026-06-16T19:38:28.576Z

Link: CVE-2026-12452

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-17T06:45:03Z

Weaknesses