Description
Use after free in IME in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Published: 2026-06-30
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Use‑after‑free bug in the Input Method Editor (IME) component of Google Chrome enabled a remote attacker to run arbitrary code inside the browser sandbox by serving a specially crafted HTML page. The vulnerability stems from improper handling of freed memory (CWE‑416), allowing malicious data to be processed after the associated object was deallocated. Exploitation could lead to code execution with the privileges of the current user, potentially compromising confidentiality and integrity of the system.

Affected Systems

The flaw affected Google Chrome desktop releases prior to version 150.0.7871.47. All builds that include this IME implementation are susceptible until upgraded to the patched version. Because the CVE states a prior to 150.0.7871.47 vulnerability, users of any older stable channel should check their installed version.

Risk and Exploitability

Cryptically, the public EPSS score is not available and the vulnerability is not listed in CISA's KEV catalog, indicating no current known exploit in the wild. Nevertheless, the Chromium severity is classified as high and the attack would likely be carried out via a crafted HTML page opened in the victim's Chrome browser. Barring an official workaround, the risk remains significant for any user who visits malicious sites while running an affected Chrome build.

Generated by OpenCVE AI on July 1, 2026 at 01:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Chrome 150.0.7871.47 or later.
  • Turn on Chrome's automatic update feature so future fixes are applied automatically.
  • Limit browsing from untrusted networks until the update is installed.

Generated by OpenCVE AI on July 1, 2026 at 01:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Jul 2026 02:15:00 +0000

Type Values Removed Values Added
Title Use-After-Free in Chrome IME Enables Remote Code Execution via Crafted Page

Tue, 30 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Use after free in IME in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Weaknesses CWE-416
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-30T22:37:41.835Z

Reserved: 2026-06-29T23:03:23.544Z

Link: CVE-2026-13811

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-01T02:00:07Z

Weaknesses