Description
Use after free in Input in Google Chrome prior to 150.0.7871.115 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Published: 2026-07-08
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Use after free in the Input component of Google Chrome versions before 150.0.7871.115 allows a remote attacker to craft a malicious HTML page that causes the browser to execute code within a sandboxed environment. The vulnerability is a classic use‑after‑free flaw (CWE‑416). Once triggered, the attacker can run arbitrary code inside the sandbox which may lead to privilege escalation or compromise of the user’s local environment if the sandbox is fully trusted. The effect is therefore the execution of arbitrary code with the power of the browser process.

Affected Systems

Google Chrome, all operating systems where the browser is installed, on any machine running a version prior to Chrome 150.0.7871.115. Users need to check their installed Chrome version and apply the update to a supported release to eliminate the flaw.

Risk and Exploitability

Chromium lists the issue as high severity. No EPSS score is available and it is not present in the CISA KEV catalog, so the current exploitation probability is unknown. The vulnerability requires the delivery of a specially crafted HTML page, meaning a remote attacker can execute this trade‑off through browsers accessed over the Internet. Once the use‑after‑free is triggered, arbitrary code runs within the sandbox, potentially compromising the entire session if the sandbox trusts the page resources. Overall, the risk is significant for any system that allows the user to load untrusted web content.

Generated by OpenCVE AI on July 9, 2026 at 03:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install Chrome version 150.0.7871.115 or newer to patch the use‑after‑free flaw.
  • Ensure Chrome auto‑update is enabled so that future security patches are installed automatically.
  • As an additional precaution, restrict access to untrusted websites or disable the affected feature through enterprise policy until the update can be applied.

Generated by OpenCVE AI on July 9, 2026 at 03:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 09 Jul 2026 11:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Thu, 09 Jul 2026 04:00:00 +0000

Type Values Removed Values Added
Title Remote Code Execution via Use‑After‑Free in Chrome Input Component

Thu, 09 Jul 2026 01:15:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Wed, 08 Jul 2026 23:00:00 +0000

Type Values Removed Values Added
Description Use after free in Input in Google Chrome prior to 150.0.7871.115 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Weaknesses CWE-416
References

cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-07-09T10:17:25.545Z

Reserved: 2026-07-08T17:07:41.473Z

Link: CVE-2026-15118

cve-icon Vulnrichment

Updated: 2026-07-09T10:17:14.433Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-09T03:45:03Z

Weaknesses