Description
Use after free in Headless in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
Published: 2026-06-30
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a use‑after‑free flaw in Chrome’s Headless mode that allows an attacker, after compromising the renderer process, to invoke code outside the renderer’s sandbox. The flaw can lead to execution of arbitrary code with elevated privileges, jeopardizing the confidentiality, integrity, and availability of the system. It is classified as a high‑severity issue.

Affected Systems

Chrome versions before 150.0.7871.47 are affected. The issue exists in the Headless variant of Google Chrome run on desktop platforms.

Risk and Exploitability

The flaw is limited to the renderer process; an attacker must first gain control of this process, typically through a crafted HTML page or similar mechanism. The attack vector is inferred to be remote but requires renderer compromise, which may be achievable from a web page or potentially from a malicious local application that injects into Chrome. No exploitation probability score is available, and the vulnerability is not listed in the CISA KEV catalog. The CVSS severity is high, implying significant risk if the conditions for exploit are met.

Generated by OpenCVE AI on July 1, 2026 at 01:46 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Chrome to version 150.0.7871.47 or later
  • Disable or limit the use of Chrome in Headless mode when processing untrusted content
  • Apply policy restrictions to isolate renderer processes and reduce the attack surface

Generated by OpenCVE AI on July 1, 2026 at 01:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Jul 2026 02:15:00 +0000

Type Values Removed Values Added
Title Headless Chrome Use‑After‑Free Allows Sandbox Escape

Tue, 30 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Use after free in Headless in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
Weaknesses CWE-416
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-30T22:37:49.631Z

Reserved: 2026-06-29T23:03:28.754Z

Link: CVE-2026-13832

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-01T02:00:07Z

Weaknesses