Description
Use after free in Forms in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Published: 2026-06-30
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A use‑after‑free flaw in Chrome’s Forms component allows a remote attacker to execute arbitrary code within the browser’s sandbox. The vulnerability is triggered by a crafted HTML page and can be leveraged to run malicious code inside the browser process. The primary impact is elevated code execution that could compromise other sandboxed applications or facilitate further lateral movement.

Affected Systems

Google Chrome versions earlier than 150.0.7871.47 are affected. The issue was discovered in the Forms handling code and has been fixed in Chrome 150.0.7871.47 and later releases.

Risk and Exploitability

The vulnerability is rated high by Chromium’s security severity assessment. The attack vector is remote, requiring an end user to load a malicious page. No EPSS score is available and the CVE is not listed in CISA’s KEV catalog, however the absence of a published exploit does not diminish the potential risk of exploitation. Given the nature of the flaw, if an attacker succeeds they could break out of the browser sandbox or perform additional operations that compromise system security.

Generated by OpenCVE AI on July 1, 2026 at 06:10 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Google Chrome to version 150.0.7871.47 or newer, which contains the fixed handling of the Forms component.
  • If an update cannot be applied immediately, disable or restrict the need to process forms from untrusted sources by using administrator policy or network controls to prevent browsers from loading malicious HTML pages.
  • In environments where upgrades are delayed, explicitly block or quarantine the affected Chrome binary or enforce a policy that limits site‑wide form processing until the patch is applied.

Generated by OpenCVE AI on July 1, 2026 at 06:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Jul 2026 06:30:00 +0000

Type Values Removed Values Added
Title Chrome Forms Use-After‑Free Enables Sandbox Code Execution

Tue, 30 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Use after free in Forms in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Weaknesses CWE-416
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-30T22:37:55.455Z

Reserved: 2026-06-29T23:03:32.744Z

Link: CVE-2026-13848

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-01T06:15:16Z

Weaknesses