Impact
Google Chrome's Blink rendering engine contains a use‑after‑free flaw that, when a specially crafted HTML page is rendered, causes the browser to operate on freed memory and enables execution of arbitrary code inside the sandbox. The defect is classified as CWE‑416 and CWE‑825 and was rated as high severity by Chromium security reviewers.
Affected Systems
The vulnerability affects Google Chrome browsers before version 149.0.7827.197 on desktop platforms. Users on the stable channel who have not installed the June 2026 update are vulnerable.
Risk and Exploitability
The flaw provides remote code execution with a sandbox escape, giving an attacker the ability to execute code with the privileges of the browser process. The EPSS score is < 1%, indicating a very low exploitation probability, but the CVSS score of 8.8 indicates a high severity. The vulnerability is not listed in the CISA KEV catalog. Attackers would need to entice users to visit a malicious web page or otherwise load a crafted HTML file.
OpenCVE Enrichment
Debian DLA
Debian DSA