Description
Use after free in Ozone in Google Chrome prior to 150.0.7871.115 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Critical)
Published: 2026-07-08
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a use‑after‑free in the Ozone windowing backend of Google Chrome that exists in versions before 150.0.7871.115. A carefully constructed HTML page can trigger a heap corruption, which may ultimately allow an attacker to execute arbitrary code on the compromised machine. The weakness corresponds to CWE‑416 and is classified as Critical by Chromium’s security team.

Affected Systems

Google Chrome binaries released before version 150.0.7871.115 – that includes Chromium 149.x and earlier on all platforms that use the Ozone backend. Users of these browsers, especially on Linux systems that compile with Ozone, are impacted.

Risk and Exploitability

Although the security severity is Critical, no exploit is publicly documented and the EPSS score is < 1%. The problem is likely exploitable via a malicious website, so any user who opens a crafted page could be affected. The vulnerability is not listed in the CISA KEV catalog. Prompt patching mitigates the risk.

Generated by OpenCVE AI on July 9, 2026 at 23:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Chrome version 150.0.7871.115 or later; this patch removes the offending use‑after‑free.
  • Ensure Chrome’s automatic update feature is enabled so that future security patches are applied without manual intervention.
  • If you cannot update immediately, conduct a thorough scan of your system for signs of exploitation and restrict browsing to trusted sites until the patch is applied.

Generated by OpenCVE AI on July 9, 2026 at 23:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 09 Jul 2026 23:45:00 +0000

Type Values Removed Values Added
Title Use‑After‑Free in Ozone Leading to Potential Heap Corruption via Crafted HTML Page

Thu, 09 Jul 2026 11:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Thu, 09 Jul 2026 04:00:00 +0000

Type Values Removed Values Added
Title Use‑After‑Free in Ozone Leading to Potential Heap Corruption via Crafted HTML Page

Thu, 09 Jul 2026 00:45:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Wed, 08 Jul 2026 23:00:00 +0000

Type Values Removed Values Added
Description Use after free in Ozone in Google Chrome prior to 150.0.7871.115 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Critical)
Weaknesses CWE-416
References

cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-07-09T10:18:38.199Z

Reserved: 2026-07-08T17:07:39.782Z

Link: CVE-2026-15112

cve-icon Vulnrichment

Updated: 2026-07-09T10:17:52.333Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-09T23:30:16Z

Weaknesses