Description
Use after free in Autofill in Google Chrome on Android prior to 150.0.7871.115 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
Published: 2026-07-08
Score: 9.6 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A use‑after‑free flaw in Chrome’s Autofill component on Android allows a remote attacker to supply a specially crafted HTML page that can potentially trigger a sandbox escape. This gives the attacker the ability to break out of the browser’s sandbox and execute code with native privileges or to read protected data, elevating a threat that was originally localized to the rendering process into a system‑level compromise. The weakness is classified as CWE‑416, highlighting the improper release and subsequent reuse of memory.

Affected Systems

All installations of Google Chrome for Android running a version earlier than 150.0.7871.115 are affected. The issue is present in the standard Chrome release channel for the Android platform and does not appear to be limited to specific device models or OEM builds.

Risk and Exploitability

The vulnerability is considered high severity, but it requires the user to load a malicious HTML page. EPSS data is unavailable, and the issue has not been listed in the CISA Known Exploited Vulnerabilities catalog. Consequently, while the exploitability is low to moderate by default, the impact is severe if an attacker can lure a user into visiting a malicious site. The most likely attack vector is standard web browsing, where a phishing or malicious site delivers the harmful payload. No public exploit is known, but the code path is open for exploitation by a remote attacker.

Generated by OpenCVE AI on July 9, 2026 at 03:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the latest Chrome update (150.0.7871.115 or newer) immediately.
  • Disable the Autofill feature in Chrome settings until an official patch is available.
  • Avoid visiting untrusted or suspicious websites, especially those that may host malicious HTML content.

Generated by OpenCVE AI on July 9, 2026 at 03:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 09 Jul 2026 11:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Thu, 09 Jul 2026 04:00:00 +0000

Type Values Removed Values Added
Title Use After Free Leading to Sandbox Escape in Chrome Android Autofill

Thu, 09 Jul 2026 00:45:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Wed, 08 Jul 2026 23:00:00 +0000

Type Values Removed Values Added
Description Use after free in Autofill in Google Chrome on Android prior to 150.0.7871.115 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
Weaknesses CWE-416
References

cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-07-09T10:30:12.769Z

Reserved: 2026-07-08T17:07:40.096Z

Link: CVE-2026-15113

cve-icon Vulnrichment

Updated: 2026-07-09T10:29:43.873Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-09T03:45:03Z

Weaknesses