Description
Use after free in Views in Google Chrome prior to 150.0.7871.115 allowed a remote attacker who convinced a user to engage in specific UI gestures to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
Published: 2026-07-08
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A use‑after‑free flaw in Chrome’s Views component allows a maliciously crafted HTML page to corrupt heap memory when a user performs specific UI gestures. The resulting heap corruption can lead to arbitrary code execution or denial of service, and the vulnerability is categorized as high severity by Chromium's security team.

Affected Systems

Google Chrome browsers running versions older than 150.0.7871.115 are affected by this vulnerability.

Risk and Exploitability

Attackers can exploit this issue by hosting a malicious HTML page and tricking users into interacting with it. The exploitation requires the user to engage in particular UI gestures, so it is a remotely triggered, user‑interaction‑dependent attack. While an exploit would target the victim’s local machine, the CVE is not listed in the CISA KEV catalog and EPSS data is unavailable, suggesting that exploitation is not yet observed at scale. The high CVSS score indicates that fully exploited, the impact would be complete system compromise.

Generated by OpenCVE AI on July 9, 2026 at 03:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Google Chrome to the latest stable version (≥150.0.7871.115).
  • Avoid downloading or opening untrusted HTML files or web pages from unknown sources that may contain malicious scripts.
  • If updating immediately is not possible, consider disabling JavaScript or using security extensions that restrict execution of unknown content to reduce the risk of the heap corruption triggering.

Generated by OpenCVE AI on July 9, 2026 at 03:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 09 Jul 2026 11:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Thu, 09 Jul 2026 04:00:00 +0000

Type Values Removed Values Added
Title Use After Free in Chrome Views Enables Potential Heap Corruption and Remote Code Execution

Thu, 09 Jul 2026 00:45:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Wed, 08 Jul 2026 23:00:00 +0000

Type Values Removed Values Added
Description Use after free in Views in Google Chrome prior to 150.0.7871.115 allowed a remote attacker who convinced a user to engage in specific UI gestures to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
Weaknesses CWE-416
References

cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-07-09T10:31:19.064Z

Reserved: 2026-07-08T17:07:39.516Z

Link: CVE-2026-15111

cve-icon Vulnrichment

Updated: 2026-07-09T10:31:05.753Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-09T03:45:03Z

Weaknesses