Description
Use after free in Chromecast in Google Chrome prior to 150.0.7871.47 allowed an attacker on the local network segment to obtain potentially sensitive information from process memory via a malicious peripheral. (Chromium security severity: Low)
Published: 2026-06-30
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The CVE describes a use‑after‑free flaw in the Chromecast component of Google Chrome. Attackers that can send crafted signals to a Chromecast peripheral connected to the same local network as a Chrome instance can trigger the bug and read the memory of the Chrome process. This could expose sensitive data such as browsing history, credentials or private pages, which constitutes an information‑disclosure vulnerability. The weakness is categorized as CWE‑416.

Affected Systems

Chrome versions prior to 150.0.7871.47, available for desktop platforms that include the built‑in Chromecast support, are affected. Users running Chrome 149.x or older on Windows, macOS, Linux, or other systems that embed Chromecast must upgrade to address the issue.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity. No EPSS score is published, and the flaw is not listed in CISA’s KEV catalog, suggesting limited known exploitation. The attack requires local network presence and physical or logical access to a Chromecast peripheral, making the probability of attack lower than remote exploits. Nevertheless, exploitation can lead to sensitive data leakage, warranting prompt remediation where the local network is shared with unknown devices.

Generated by OpenCVE AI on July 1, 2026 at 13:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Chrome 150.0.7871.47 or later to apply the fix.
  • Restrict access to Chromecast peripherals by permitting only trusted devices on the local network.
  • Use network isolation or firewall rules to prevent untrusted traffic from reaching the Chromecast or Chrome processes.

Generated by OpenCVE AI on July 1, 2026 at 13:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Jul 2026 14:15:00 +0000

Type Values Removed Values Added
Title Local‑Network Use‑After‑Free in Chrome’s Chromecast Component

Wed, 01 Jul 2026 10:00:00 +0000

Type Values Removed Values Added
Title Use‑after‑free in Chrome’s Chromecast Component Allows Local Network Information Disclosure

Wed, 01 Jul 2026 07:45:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Wed, 01 Jul 2026 05:30:00 +0000

Type Values Removed Values Added
Title Use‑after‑free in Chrome’s Chromecast Component Allows Local Network Information Disclosure

Wed, 01 Jul 2026 02:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Tue, 30 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Use after free in Chromecast in Google Chrome prior to 150.0.7871.47 allowed an attacker on the local network segment to obtain potentially sensitive information from process memory via a malicious peripheral. (Chromium security severity: Low)
Weaknesses CWE-416
References

cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-07-01T01:18:08.872Z

Reserved: 2026-06-29T23:11:31.624Z

Link: CVE-2026-14048

cve-icon Vulnrichment

Updated: 2026-07-01T01:18:04.797Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-01T14:00:06Z

Weaknesses