Description
Use after free in Bluetooth in Google Chrome on Mac prior to 149.0.7827.197 allowed a remote attacker to execute arbitrary code via a malicious peripheral. (Chromium security severity: High)
Published: 2026-06-24
Score: 8.8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A use after free flaw exists in Chrome’s Bluetooth implementation on macOS versions prior to 149.0.7827.197. The flaw allows an adversary to trigger arbitrary code execution by establishing a Bluetooth connection with Chrome using a specially crafted peripheral. This is a high‑severity issue that could compromise the confidentiality, integrity, and availability of the affected system.

Affected Systems

Versions of Google Chrome for macOS older than 149.0.7827.197 are vulnerable. The flaw is specific to the desktop Chrome application and requires that the local machine runs the affected build on a macOS platform.

Risk and Exploitability

The vulnerability can be triggered remotely through a Bluetooth peripheral. While the EPSS score is not available, the lack of a KEV listing and high Chromium severity suggest that exploitation is plausible but would require physical proximity or the ability to pair with the target device. No public exploit references exist yet, but users of older Chrome releases should consider the risk of code execution from malicious nearby devices.

Generated by OpenCVE AI on June 24, 2026 at 20:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Chrome to version 149.0.7827.197 or later on macOS
  • Disable or remove Bluetooth when it is not needed
  • Avoid pairing with unknown or untrusted Bluetooth peripherals

Generated by OpenCVE AI on June 24, 2026 at 20:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 24 Jun 2026 19:15:00 +0000

Type Values Removed Values Added
Description Use after free in Bluetooth in Google Chrome on Mac prior to 149.0.7827.197 allowed a remote attacker to execute arbitrary code via a malicious peripheral. (Chromium security severity: High)
Weaknesses CWE-416
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-24T19:34:50.027Z

Reserved: 2026-06-23T17:14:12.313Z

Link: CVE-2026-13035

cve-icon Vulnrichment

Updated: 2026-06-24T19:23:54.811Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T20:30:04Z

Weaknesses