Description
Use after free in Blink in Google Chrome prior to 149.0.7827.197 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Published: 2026-06-24
Score: 8.8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Google Chrome's Blink rendering engine contains a use‑after‑free flaw that allows a remote attacker to spawn arbitrary code inside the browser sandbox. The defect is triggered when a specially crafted HTML page is rendered, causing the browser to operate on freed memory and enabling code execution. This weakness is classified as CWE‑416 and was rated as high severity by Chromium security reviewers.

Affected Systems

The vulnerability applies to Google Chrome browsers before version 149.0.7827.197 on desktop platforms. Users of the stable channel that have not installed the June 2026 update are vulnerable.

Risk and Exploitability

The flaw provides remote code execution with a sandbox escape, giving an attacker the ability to execute code with the privileges of the browser process. Although EPSS data is not available, the vulnerability’s severity and known impact suggest a high likelihood of exploitation once the bug is known to attackers. It is not listed in the CISA KEV catalog.

Generated by OpenCVE AI on June 24, 2026 at 20:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the latest Chrome update (149.0.7827.197 or newer).
  • Enable automatic updates in Chrome to receive future patches promptly.
  • Restrict access to potentially malicious web pages by disabling local file protocols or using enterprise policies that limit browsing of untrusted sites.

Generated by OpenCVE AI on June 24, 2026 at 20:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
Title Use‑After‑Free in Blink Allows Remote Code Execution in Chrome

Wed, 24 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 24 Jun 2026 19:15:00 +0000

Type Values Removed Values Added
Description Use after free in Blink in Google Chrome prior to 149.0.7827.197 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Weaknesses CWE-416
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-24T19:34:12.773Z

Reserved: 2026-06-23T17:14:11.143Z

Link: CVE-2026-13031

cve-icon Vulnrichment

Updated: 2026-06-24T19:28:42.429Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T20:30:04Z

Weaknesses