Description
Use after free in Autofill in Google Chrome on Windows prior to 149.0.7827.197 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: Critical)
Published: 2026-06-24
Score: 8.8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Use-after-free vulnerability in the Autofill component of Google Chrome on Windows allows an attacker to execute arbitrary code by serving a malicious HTML page to the user. The flaw arises when the browser accesses freed memory, enabling code injection and full control of the browser process. This can result in compromise of the user’s data and system.

Affected Systems

Google Chrome browsers running on Windows prior to version 149.0.7827.197 are affected. Users who have not updated to the fixed release are at risk.

Risk and Exploitability

The vulnerability is classified as critical. No EPSS score is available, and the issue is not listed in the CISA KEV catalog. An attacker can exploit it remotely by causing a victim to load a crafted HTML page in the browser, triggering the use-after-free and executing arbitrary code with the privileges of the browser process.

Generated by OpenCVE AI on June 24, 2026 at 20:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Google Chrome to version 149.0.7827.197 or later.
  • If an immediate update is not possible, disable the Autofill feature through Chrome settings or IT policy to prevent the vulnerable code path from executing.
  • Monitor for any further advisories or exploit activity related to CVE-2026-13038 from Google or security communities.

Generated by OpenCVE AI on June 24, 2026 at 20:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
Title Use-After-Free in Chrome Autofill Allows Remote Code Execution via Crafted HTML Page

Wed, 24 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 24 Jun 2026 19:15:00 +0000

Type Values Removed Values Added
Description Use after free in Autofill in Google Chrome on Windows prior to 149.0.7827.197 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: Critical)
Weaknesses CWE-416
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-24T19:25:25.480Z

Reserved: 2026-06-23T17:14:13.152Z

Link: CVE-2026-13038

cve-icon Vulnrichment

Updated: 2026-06-24T19:25:22.608Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T20:30:04Z

Weaknesses