Description
Use after free in Touchbar in Google Chrome on Mac prior to 150.0.7871.47 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
Published: 2026-06-30
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Use after free condition in Chrome's Touchbar code occurs when a previously freed object is accessed again. An attacker can deliver a specially crafted HTML page that triggers this use after free, potentially allowing the attacker to escape the browser sandbox and execute code with host‑level privileges. The weakness is labeled CWE‑416 and the security severity is high. Such an escape could compromise confidentiality, integrity, and availability of the affected system.

Affected Systems

The vulnerability affects Google Chrome running on macOS before the patch version 150.0.7871.47. All earlier stable channel builds that include the Touchbar functionality are vulnerable. The affected product is Google Chrome for macOS, with affected versions up to and including 150.0.7871.46.

Risk and Exploitability

The CVSS score is not provided, but the vulnerability is classified as high severity. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is remote: a malicious webpage can be served to a user who has Chrome open. Exploitation requires that the user visits a page containing the crafted HTML. Once the use after free occurs, the attacker may escape the sandbox, potentially leading to remote code execution. Due to the absence of publicly known exploit code, the actual exploitation risk remains uncertain but significant.

Generated by OpenCVE AI on July 1, 2026 at 00:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Google Chrome to version 150.0.7871.47 or later
  • If an immediate update is not possible, uninstall or disable Chrome until the update can be applied
  • Monitor system logs and network activity for signs of exploitation attempts and keep Chrome update auto‑update enabled

Generated by OpenCVE AI on July 1, 2026 at 00:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Jul 2026 00:45:00 +0000

Type Values Removed Values Added
Title Use After Free in Chrome Touchbar Enabling Sandbox Escape

Tue, 30 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Use after free in Touchbar in Google Chrome on Mac prior to 150.0.7871.47 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
Weaknesses CWE-416
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-30T22:37:34.676Z

Reserved: 2026-06-29T23:03:18.880Z

Link: CVE-2026-13792

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-01T00:30:06Z

Weaknesses