Description
Use after free in Web Authentication in Google Chrome prior to 149.0.7827.197 allowed an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via a crafted Chrome Extension. (Chromium security severity: High)
Published: 2026-06-24
Score: 7.5 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A use‑after‑free flaw in the Web Authentication implementation of Google Chrome prior to build 149.0.7827.197 can cause heap corruption when a maliciously crafted Chrome Extension is loaded. This vulnerability can be exploited to execute arbitrary code or crash processes, compromising the confidentiality, integrity or availability of the user's data and browser session.

Affected Systems

All installations of Google Chrome that are earlier than version 149.0.7827.197 are affected. The flaw was addressed in the June 2026 stable channel update.

Risk and Exploitability

The vulnerability is classified as high severity. No EPSS score is available, and the flaw is not listed in the CISA KEV catalog. The likely attack scenario requires the attacker to persuade a user to install a malicious extension; once the extension is loaded, the use‑after‑free can be triggered to corrupt heap memory and potentially gain code execution within the renderer process. The exploitability depends on user interaction and the presence of a malicious extension.

Generated by OpenCVE AI on June 24, 2026 at 20:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Chrome to version 149.0.7827.197 or later.
  • Enable the Chrome Extension Autoupdate feature so extensions are automatically updated to the latest safe version.
  • Restrict extension installation to trusted sources via Chrome Enterprise policies or use the "Only allow extensions from the Chrome Web Store" setting.

Generated by OpenCVE AI on June 24, 2026 at 20:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
Title Use‑After‑Free in Web Authentication Enabling Heap Corruption via Malicious Chrome Extension

Wed, 24 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 24 Jun 2026 19:15:00 +0000

Type Values Removed Values Added
Description Use after free in Web Authentication in Google Chrome prior to 149.0.7827.197 allowed an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via a crafted Chrome Extension. (Chromium security severity: High)
Weaknesses CWE-416
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-24T19:33:26.711Z

Reserved: 2026-06-23T17:14:10.450Z

Link: CVE-2026-13029

cve-icon Vulnrichment

Updated: 2026-06-24T19:31:53.813Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T20:30:04Z

Weaknesses