Description
Heap buffer overflow in Chromecast in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
Published: 2026-06-30
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A heap buffer overflow was discovered in the Chromecast component of Google Chrome, enabling an attacker who has already compromised the renderer process to escape the browser sandbox and execute arbitrary code on the underlying operating system. The flaw, classified as CWE‑122, can potentially lead to full system compromise if the crafted HTML page is successfully loaded and executed in the vulnerable process.

Affected Systems

The vulnerability affects all installations of Google Chrome running versions earlier than 150.0.7871.47. This includes the stable desktop channel and any earlier builds that have not applied the 2026‑06 update.

Risk and Exploitability

The flaw carries a high severity rating in Chromium’s own assessment. No EPSS data is currently available, and the issue is not listed in the CISA KEV catalog. Exploitation requires an attacker to deliver a malicious HTML page that triggers the crash while the renderer process is already compromised, suggesting a multi‑step attack. The absence of documented public exploits and the specialized prerequisites reduce the likelihood of widespread exploitation, but the potential impact remains substantial for exposed systems.

Generated by OpenCVE AI on July 1, 2026 at 01:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Google Chrome to version 150.0.7871.47 or later to apply the heap overflow fix.
  • Disable the Chromecast feature by removing or blocking the Cast extension if the feature is not needed.
  • Apply an enterprise policy to enforce the latest Chrome version and restrict installation of the Cast extension to prevent privilege escalation.

Generated by OpenCVE AI on July 1, 2026 at 01:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Jul 2026 02:15:00 +0000

Type Values Removed Values Added
Title Chromecast Heap Buffer Overflow Allowing Remote Code Execution

Tue, 30 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Heap buffer overflow in Chromecast in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
Weaknesses CWE-122
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-30T22:37:36.916Z

Reserved: 2026-06-29T23:03:20.375Z

Link: CVE-2026-13798

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-01T02:00:07Z

Weaknesses
  • CWE-122

    Heap-based Buffer Overflow