Description
Use after free in Autofill in Google Chrome on Windows prior to 149.0.7827.197 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: Critical)
Published: 2026-06-24
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Use‑after‑free vulnerability in the Autofill component of Google Chrome on Windows allows an attacker to execute arbitrary code by serving a malicious HTML page to the user. The flaw arises when the browser accesses freed memory, enabling code injection and full control of the browser process. This can result in compromise of the user’s data and system.

Affected Systems

Google Chrome browsers running on Windows prior to version 149.0.7827.197 are affected. Users who have not updated to the fixed release are at risk.

Risk and Exploitability

The vulnerability has a CVSS score of 8.8, indicating a high level of severity. The EPSS score is < 1%, indicating a very low but non‑zero exploitation probability, and the issue is not listed in the CISA KEV catalog. An attacker can exploit it remotely by causing a victim to load a crafted HTML page in the browser, triggering the use‑after‑free and executing arbitrary code with the privileges of the browser process.

Generated by OpenCVE AI on June 29, 2026 at 13:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Google Chrome to version 149.0.7827.197 or later.
  • If an immediate update is not possible, disable the Autofill feature through Chrome settings or IT policy to prevent the vulnerable code path from executing.
  • Monitor for any further advisories or exploit activity related to CVE‑2026‑13038 from Google or security communities.

Generated by OpenCVE AI on June 29, 2026 at 13:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4654-1 chromium security update
Debian DSA Debian DSA DSA-6364-1 chromium security update
History

Mon, 29 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Title chromium-browser: chromium-browser: Use after free in Autofill
Weaknesses CWE-825
References
Metrics threat_severity

None

threat_severity

Critical


Thu, 25 Jun 2026 06:15:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Wed, 24 Jun 2026 23:00:00 +0000

Type Values Removed Values Added
Title Use-After-Free in Chrome Autofill Allows Remote Code Execution via Crafted HTML Page

Wed, 24 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
Title Use-After-Free in Chrome Autofill Allows Remote Code Execution via Crafted HTML Page

Wed, 24 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Wed, 24 Jun 2026 19:15:00 +0000

Type Values Removed Values Added
Description Use after free in Autofill in Google Chrome on Windows prior to 149.0.7827.197 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: Critical)
Weaknesses CWE-416
References

cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-25T03:55:38.182Z

Reserved: 2026-06-23T17:14:13.152Z

Link: CVE-2026-13038

cve-icon Vulnrichment

Updated: 2026-06-24T19:25:22.608Z

cve-icon NVD

No data.

cve-icon Redhat

Severity : Critical

Publid Date: 2026-06-24T18:43:14Z

Links: CVE-2026-13038 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-29T13:30:05Z

Weaknesses