Description
Use after free in Fullscreen in Google Chrome on Android prior to 150.0.7871.47 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: Critical)
Published: 2026-06-30
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A use‑after‑free flaw occurs in the fullscreen handling code of Google Chrome on Android. When a web page aggressively requests to enter fullscreen, internal memory deallocation timing can allow a subsequent read of released memory. A malicious site can craft a special HTML page that triggers this sequence, enabling the attacker to run arbitrary code on the device in the context of Chrome. The vulnerability is identified as CWE‑416 and is considered a critical security issue by Chromium.

Affected Systems

Google Chrome running on Android devices with versions dated before 150.0.7871.47 are affected. Any user with a vulnerable Chrome installation who visits a malicious web page that initiates a fullscreen request can be exposed.

Risk and Exploitability

The vulnerability is classified as Critical, implying that exploitation leads to complete compromise of the affected device if executed. The official EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, which does not reduce the inherent risk of a remote code execution flaw. Attackers can exploit it remotely by delivering a crafted HTML page that initiates a fullscreen request. The likely attack vector is through a malicious website that coerces fullscreen; other potential vectors such as phishing or malicious ads are inferred but not confirmed in the official description. No additional access controls or prerequisite conditions are required beyond the presence of a vulnerable Chrome build.

Generated by OpenCVE AI on July 1, 2026 at 01:13 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Chrome to version 150.0.7871.47 or later on all Android devices
  • Configure Android’s auto‑update policy to ensure Chrome receives security patches promptly
  • If immediate upgrade is not possible, isolate the device from untrusted web content or block fullscreen requests by policy scripts if supported

Generated by OpenCVE AI on July 1, 2026 at 01:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Jul 2026 01:30:00 +0000

Type Values Removed Values Added
Title Use After Free in Fullscreen Rendering Allows Remote Code Execution

Tue, 30 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Use after free in Fullscreen in Google Chrome on Android prior to 150.0.7871.47 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: Critical)
Weaknesses CWE-416
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-30T22:37:33.188Z

Reserved: 2026-06-29T23:03:17.854Z

Link: CVE-2026-13788

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-01T01:15:16Z

Weaknesses