Description
Use after free in Cast Receiver in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium)
Published: 2026-06-30
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a use‑after‑free in the Cast Receiver component of Google Chrome. A crafted HTML page can trigger the free and subsequent reuse of memory, allowing an attacker to execute arbitrary code inside a sandboxed process. While containment limits the code to the sandbox environment, the privilege escalation still enables a remote attacker to run malware or conduct further attacks, representing a medium‑impact flaw, as indicated by the medium severity rating within Chromium.

Affected Systems

The flaw affects Google Chrome versions prior to 150.0.7871.47. Specifically, any installation that includes the Cast Receiver functionality is vulnerable unless the browser has been upgraded to a newer patch release.

Risk and Exploitability

There is no EPSS score available and the CVE is not listed in the CISA KEV catalog, indicating no known widespread exploitation yet. The likely attack vector is a remote attacker delivering a malicious web page that activates the Cast Receiver. Given the medium severity rating within Chromium and the absence of public exploitation data, the risk is moderate but should be addressed promptly because the flaw can be leveraged to execute arbitrary code.

Generated by OpenCVE AI on July 1, 2026 at 01:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Google Chrome to version 150.0.7871.47 or later to apply the fix.
  • Ensure the browser reloads and the new version is active by restarting all Chrome processes.
  • If you do not require casting features, disable the Cast Receiver to reduce the attack surface until the patch can be applied.

Generated by OpenCVE AI on July 1, 2026 at 01:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Jul 2026 02:00:00 +0000

Type Values Removed Values Added
Title Use After Free in Chrome Cast Receiver Enabling Remote Code Execution

Tue, 30 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Use after free in Cast Receiver in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium)
Weaknesses CWE-416
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-30T22:38:13.675Z

Reserved: 2026-06-29T23:03:45.210Z

Link: CVE-2026-13898

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-01T01:45:06Z

Weaknesses