Description
Use after free in Actor in Google Chrome prior to 150.0.7871.115 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Published: 2026-07-08
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A use‑after‑free bug was found in Chrome’s Actor component that permits a remote attacker to run arbitrary code inside the browser’s sandbox when a user opens a specially crafted HTML page. The flaw, identified as CWE‑416, allows memory misuse that can lead to arbitrary code execution while the browser process remains sandboxed. If an attacker elevates this code outside the sandbox, the compromise could affect the entire host system, potentially leaking sensitive data or enabling further exploitation. Overall, the vulnerability carries a high severity level according to Chromium’s internal rating.

Affected Systems

Google Chrome is affected, with all releases prior to version 150.0.7871.115 vulnerable. Users running those earlier builds are at risk.

Risk and Exploitability

The vulnerability can be triggered remotely by hosting or delivering a malicious web page to the user. While the exploit requires the ability to create a use‑after‑free condition in the Actor layer, it does not need user interaction beyond visiting the page, making it socially engineerable. Although sandbox restrictions limit immediate system impact, the potential to escape the sandbox elevates the risk. No EPSS score is available and the flaw is currently not listed in the CISA KEV catalog, but the high severity rating indicates that defenders should treat it as a serious threat.

Generated by OpenCVE AI on July 9, 2026 at 03:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Google Chrome to version 150.0.7871.115 or newer
  • Ensure automatic browser updates are enabled so that future patches are applied automatically
  • If automatic updates cannot be used, download and install the latest Chrome release manually from the official Google website

Generated by OpenCVE AI on July 9, 2026 at 03:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 09 Jul 2026 11:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Thu, 09 Jul 2026 04:00:00 +0000

Type Values Removed Values Added
Title Use-After-Free in Chrome Actor Enables Remote Code Execution via Crafted HTML Page

Thu, 09 Jul 2026 01:15:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Wed, 08 Jul 2026 23:00:00 +0000

Type Values Removed Values Added
Description Use after free in Actor in Google Chrome prior to 150.0.7871.115 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Weaknesses CWE-416
References

cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-07-09T10:28:10.653Z

Reserved: 2026-07-08T17:07:40.968Z

Link: CVE-2026-15116

cve-icon Vulnrichment

Updated: 2026-07-09T10:27:50.997Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-09T03:45:03Z

Weaknesses