Description
Use after free in Chrome for iOS in Google Chrome on iOS prior to 150.0.7871.47 allowed a remote attacker who convinced a user to engage in specific UI gestures to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium)
Published: 2026-06-30
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Chrome for iOS contains a use‑after‑free bug that corrupts its heap when a user interacts with a specially crafted web page, potentially enabling a remote attacker to execute arbitrary code. The flaw requires the victim to view malicious content and perform specific UI gestures, after which the corrupted memory can be leveraged to compromise the device. This issue stems from the rendering engine, so exploitation could give an attacker full control of the browser process.

Affected Systems

Google Chrome for iOS versions prior to 150.0.7871.47 are vulnerable; any device running this browser without the 150.0.7871.47 update is at risk.

Risk and Exploitability

The CVSS severity is medium, the EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, indicating no known widespread exploitation. However, the requirement for social engineering—convincing a user to open malicious content and perform gestures—adds complexity, so exploitation is moderately likely but the potential for remote code execution remains high enough to warrant prompt patching.

Generated by OpenCVE AI on July 1, 2026 at 01:31 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Chrome to version 150.0.7871.47 or later to eliminate the use‑after‑free bug.
  • If possible or until the patch is applied, enable Site Isolation and disable third‑party cookies or JavaScript in the browser settings to reduce the attack surface.
  • Train users to avoid interacting with unexpected web pages and to be cautious of unusual UI prompts that ask for gestures or actions.

Generated by OpenCVE AI on July 1, 2026 at 01:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Jul 2026 02:00:00 +0000

Type Values Removed Values Added
Title Use‑After‑Free Heap Corruption in Chrome for iOS Enabling Remote Code Execution

Tue, 30 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Use after free in Chrome for iOS in Google Chrome on iOS prior to 150.0.7871.47 allowed a remote attacker who convinced a user to engage in specific UI gestures to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium)
Weaknesses CWE-416
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-30T22:38:20.009Z

Reserved: 2026-06-29T23:03:51.108Z

Link: CVE-2026-13915

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-01T01:45:06Z

Weaknesses