Description
Use after free in Forms in Google Chrome prior to 150.0.7871.115 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Published: 2026-07-08
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A use‑after‑free flaw in the Form handling of Google Chrome prior to version 150.0.7871.115 allows a remote attacker to execute arbitrary code within the browser sandbox by delivering a specially crafted HTML page. The vulnerability is a classic memory corruption bug (CWE‑416) that, once triggered, grants the attacker execution capabilities inside the sandboxed environment. While the sandbox limits system impact, arbitrary code execution in that context can compromise user data, exfiltrate information, or pivot to higher privileges if the sandbox is escaped or if downstream extensions are affected.

Affected Systems

All users running Google Chrome stable channel builds older than 150.0.7871.115 are potentially exposed. The exact versions affected are not enumerated in the advisory, but the issue was fixed in the 150.0.7871.115 release, which is the recommendation for all existing installations.

Risk and Exploitability

The CVE is classified with high severity, yet no EPSS value is published and the vulnerability is not listed in CISA’s KEV catalog. The attack vector is inferred to be through an attacker‑controlled web page that users visit, since the flaw is triggered by a crafted HTML form. Exploitation would require the user to load the exploit page, so the risk is moderate to high for environments where users visit untrusted sites. Once the exploit is executed, the attacker can perform actions limited by the browser sandbox, but the impact could still be significant if sandbox escapes or policy violations occur.

Generated by OpenCVE AI on July 9, 2026 at 03:34 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Chrome to version 150.0.7871.115 or later, which contains the fix for the use‑after‑free bug.
  • Verify that Chrome’s automatic update mechanism is enabled so future patches are applied without manual intervention.
  • Administrators may enforce a temporary restriction on form handling via Chrome Enterprise policy or Content Security Policy headers in internal web applications to reduce exposure until all clients are refreshed.

Generated by OpenCVE AI on July 9, 2026 at 03:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 09 Jul 2026 04:00:00 +0000

Type Values Removed Values Added
Title Use-After-Free in Chrome Forms Enables Remote Code Execution

Thu, 09 Jul 2026 02:15:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Wed, 08 Jul 2026 23:00:00 +0000

Type Values Removed Values Added
Description Use after free in Forms in Google Chrome prior to 150.0.7871.115 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Weaknesses CWE-416
References

cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-07-08T22:36:04.900Z

Reserved: 2026-07-08T17:07:43.483Z

Link: CVE-2026-15126

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-09T03:45:03Z

Weaknesses