Impact
A use‑after‑free fault exists in Chrome’s Web Authentication subsystem in builds older than 149.0.7827.197. When a user installs a specially crafted extension, the code may access deallocated memory, which can corrupt the heap. The vulnerability does not claim that this corruption leads to arbitrary code execution; the primary risk is memory corruption that could cause application crashes, data loss, or other unintended behavior.
Affected Systems
All Google Chrome installations older than version 149.0.7827.197 are affected. The bug was patched in the June 2026 stable channel update, so any compliant environment that has applied the July 2026 update is no longer vulnerable.
Risk and Exploitability
The problem carries a CVSS score of 7.5 and an EPSS probability of less than 1%, indicating low practical exploit likelihood. It is not listed in the CISA KEV catalog. The exploitation path requires a user to voluntarily install a malicious extension; there is no evidence that the weakness can be triggered remotely or without user interaction. Thus the risk hinges on social engineering or malicious supply chain attacks to deliver the extension.
OpenCVE Enrichment
Debian DLA
Debian DSA