Description
Use after free in QUIC in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to potentially exploit heap corruption via malicious network traffic. (Chromium security severity: High)
Published: 2026-06-30
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A use‑after‑free flaw in the QUIC implementation of Google Chrome allows an attacker to send crafted network traffic that can corrupt the browser's heap memory, potentially leading to arbitrary code execution. The vulnerability arises when a memory region is freed and later accessed, a classic heap corruption scenario that qualifies as a high‑severity weakness (CWE‑416). Because the flaw can be triggered by external input, it poses risks to confidentiality, integrity, and availability of an affected system.

Affected Systems

All desktop editions of Google Chrome older than version 150.0.7871.47, on Windows, macOS, and Linux, are vulnerable. The OS coverage is inferred from typical Chrome usage patterns, as it is not explicitly stated in the advisory. The issue specifically targets the QUIC networking stack, which is enabled by default for HTTPS traffic in recent releases distributed through the stable channel.

Risk and Exploitability

Based on the description, the attacker can exploit the flaw by directing malicious QUIC packets to a Chrome instance over the network; no local user interaction or elevated privileges are required. The EPSS score is < 1%, and the vulnerability is not listed in the CISA KEV catalog, so evidence of widespread exploitation is currently unknown. Nevertheless, the CVSS score of 8.1 indicates high risk, and the potential for arbitrary code execution warrants immediate remediation.

Generated by OpenCVE AI on July 1, 2026 at 22:33 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Google Chrome to version 150.0.7871.47 or later.
  • Enable automatic Chrome updates so future security patches are applied automatically.
  • If an update cannot be applied immediately, temporarily disable QUIC in Chrome by setting "chrome://flags/#enable-quic" to "Disabled" or block QUIC packets (typically over ports 443/8443) using network filtering.

Generated by OpenCVE AI on July 1, 2026 at 22:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Jul 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Wed, 01 Jul 2026 15:00:00 +0000

Type Values Removed Values Added
Title Use-After-Free Heap Corruption in Chrome QUIC Allowing Remote Code Execution

Wed, 01 Jul 2026 12:45:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Wed, 01 Jul 2026 11:15:00 +0000

Type Values Removed Values Added
Title Chrome QUIC Use‑After‑Free Leading to Potential Remote Code Execution

Wed, 01 Jul 2026 05:00:00 +0000

Type Values Removed Values Added
Title Chrome QUIC Use‑After‑Free Leading to Potential Remote Code Execution

Tue, 30 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Use after free in QUIC in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to potentially exploit heap corruption via malicious network traffic. (Chromium security severity: High)
Weaknesses CWE-416
References

cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-07-01T15:32:18.838Z

Reserved: 2026-06-29T23:03:20.600Z

Link: CVE-2026-13799

cve-icon Vulnrichment

Updated: 2026-07-01T15:32:08.883Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-01T14:45:16Z

Weaknesses