Description
Use after free in Payments in Google Chrome on Android prior to 149.0.7827.201 allowed a local attacker to potentially exploit heap corruption via physical access to the device. (Chromium security severity: High)
Published: 2026-06-25
Score: 6.8 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A use-after-free flaw exists in the Payments module of Google Chrome for Android prior to version 149.0.7827.201. The flaw can lead to heap corruption, which may enable a local attacker to execute arbitrary code on the device and compromise data confidentiality and integrity. The weakness is identified as CWE-416.

Affected Systems

The vulnerability affects Google Chrome for Android. All installations of Chrome on Android devices running a version older than 149.0.7827.201 are impacted.

Risk and Exploitability

According to Chromium security, the vulnerability is rated High severity. The CVSS score is 6.8, indicating a moderate risk when considering potential impact. No EPSS score is available and the issue is not listed in the CISA KEV catalog. The only known exploitation conditions require physical access to the device, so the likely attack vector is local physical access to the device, making the discovery of exploitation dependent on device compromise.

Generated by OpenCVE AI on June 26, 2026 at 03:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Google Chrome to version 149.0.7827.201 or newer
  • Disable the Payments feature or block its usage until an updated Chrome version is installed
  • Implement strict physical security controls to prevent unauthorized device access

Generated by OpenCVE AI on June 26, 2026 at 03:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 04:15:00 +0000

Type Values Removed Values Added
Title Use-after-Free in Chrome Payments Leads to Local Heap Corruption

Fri, 26 Jun 2026 03:30:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Fri, 26 Jun 2026 02:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.8, 'vector': 'CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 25 Jun 2026 23:45:00 +0000

Type Values Removed Values Added
Title Use-after-Free in Chrome Payments Leads to Local Heap Corruption

Thu, 25 Jun 2026 22:00:00 +0000

Type Values Removed Values Added
Description Use after free in Payments in Google Chrome on Android prior to 149.0.7827.201 allowed a local attacker to potentially exploit heap corruption via physical access to the device. (Chromium security severity: High)
Weaknesses CWE-416
References

Subscriptions

Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-26T01:23:29.566Z

Reserved: 2026-06-24T21:53:13.529Z

Link: CVE-2026-13282

cve-icon Vulnrichment

Updated: 2026-06-26T01:23:16.529Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T04:00:07Z

Weaknesses