Description
Use after free in Extensions in Google Chrome prior to 150.0.7871.47 allowed an attacker who convinced a user to install a malicious extension to execute arbitrary code via a crafted Chrome Extension. (Chromium security severity: Critical)
Published: 2026-06-30
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A use‑after‑free flaw in the extension handling of Google Chrome allows a malicious extension to drop into memory and execute code of the attacker’s choosing. If a user accepts a malicious add‑on, the attacker can gain full control of the browser process and move laterally to system resources.

Affected Systems

All desktop variants of Google Chrome running a version earlier than 150.0.7871.47 are vulnerable. This includes Windows, macOS, and Linux builds that have not yet received the latest stable channel update.

Risk and Exploitability

The vulnerability is labeled critical by Chromium and carries a use‑after‑free weakness (CWE‑416). The EPSS score is currently unavailable and the issue is not listed in the CISA KEV catalog, indicating no confirmed widespread exploitation at this time. The attack vector relies on social engineering; an attacker must convince a user to install a malicious extension. Once the extension is loaded, arbitrary code execution follows without further conditions.

Generated by OpenCVE AI on July 1, 2026 at 04:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Chrome update (150.0.7871.47 or newer).
  • Remove or disable any extensions that are not explicitly trusted by the user.
  • Temporarily inhibit the installation of new extensions until the update is applied.

Generated by OpenCVE AI on July 1, 2026 at 04:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Jul 2026 05:00:00 +0000

Type Values Removed Values Added
Title Use‑after‑free in Chrome Extensions Allows Arbitrary Code Execution

Tue, 30 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Use after free in Extensions in Google Chrome prior to 150.0.7871.47 allowed an attacker who convinced a user to install a malicious extension to execute arbitrary code via a crafted Chrome Extension. (Chromium security severity: Critical)
Weaknesses CWE-416
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-30T22:37:27.090Z

Reserved: 2026-06-29T23:03:13.741Z

Link: CVE-2026-13774

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-01T04:45:05Z

Weaknesses