Description
Use after free in GPU in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)
Published: 2026-06-30
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a use‑after‑free in the GPU component of Google Chrome, classified as CWE‑416. A remote attacker who has already compromised the renderer process can potentially use a crafted HTML page to escape the sandbox, allowing execution of arbitrary code or access to privileged system resources. Chromium rates the issue as critical, highlighting the severity of the potential sandbox escape. The attack clearly requires initial compromise of the renderer, such as via malicious web content or a cross‑site scripting vector, but once achieved it can compromise the host operating system.

Affected Systems

All installations of Google Chrome up to, but not including, version 150.0.7871.47 are affected. Users who have not yet upgraded to this or newer stable channel releases remain vulnerable. The flaw affects the standard Chrome desktop build for all platforms that use the GPU path for rendering.

Risk and Exploitability

Because the CVSS score is not publicly disclosed and EPSS is unavailable, the raw severity is inferred from the critical rating. The vulnerability is high‑risk when the precondition of renderer compromise is met, but the overall risk to an uninformed end‑user is moderate because it requires a sophisticated attacker to deliver malicious content first. The flaw is not listed in the CISA KEV catalog, indicating no public exploitation evidence at the time of this analysis. Nonetheless, given the critical classification, the recommended response is to upgrade immediately. The primary attack vector is a maliciously crafted web page loaded by a user in a compromised renderer process.

Generated by OpenCVE AI on July 1, 2026 at 00:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Google Chrome to version 150.0.7871.47 or newer.
  • If an immediate update is not possible, disable GPU acceleration for all sites by launching Chrome with the flag --disable-gpu or by setting the corresponding flag to Off in chrome://flags, thereby reducing the attack surface.
  • As a temporary mitigative measure, launch Chrome with the --single-process or --disable-gpu-process flags to force software rendering, limiting the GPU component’s exposure.

Generated by OpenCVE AI on July 1, 2026 at 00:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Jul 2026 00:45:00 +0000

Type Values Removed Values Added
Title Use‑After‑Free in GPU Layer Leading to Potential Sandbox Escape in Google Chrome

Tue, 30 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Use after free in GPU in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)
Weaknesses CWE-416
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-30T22:37:27.630Z

Reserved: 2026-06-29T23:03:14.042Z

Link: CVE-2026-13775

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-01T00:30:06Z

Weaknesses