Description
Uninitialized Use in V8 in Google Chrome prior to 150.0.7871.115 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Published: 2026-07-08
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an uninitialized use flaw in the V8 JavaScript engine that allows a remote attacker to execute arbitrary code inside a sandboxed process when a user loads a specially crafted HTML page. The attack compromises the sandbox boundaries, giving the attacker the same privileges as the browser process and potentially enabling further escalation. The weakness is identified as CWE-457, reflecting the improper initialization of a variable before use.

Affected Systems

Google Chrome browsers are affected, specifically all versions prior to 150.0.7871.115 as noted by the vendor. No additional affected product versions are listed in the available data.

Risk and Exploitability

Chromium reports the severity as High, yet the EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog, indicating that widespread exploitation has not yet been observed. The likely attack vector is through a malicious web page that the user visits or that is injected into a legitimate site. Successful exploitation requires user interaction to load the page, after which the attacker can run code within the sandbox with the same rights as the browser. Given the high severity assessment, the potential impact is significant, though actual exploitation risk remains uncertain due to lack of EPSS data.

Generated by OpenCVE AI on July 9, 2026 at 03:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Chrome to version 150.0.7871.115 or later
  • Enable automatic updates to receive future patches promptly
  • Limit JavaScript execution for untrusted content or use a web‑filtering proxy to block known malicious HTML

Generated by OpenCVE AI on July 9, 2026 at 03:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 09 Jul 2026 11:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Thu, 09 Jul 2026 04:00:00 +0000

Type Values Removed Values Added
Title Uninitialized Use in V8 Allows Remote Code Execution in Chrome

Thu, 09 Jul 2026 01:30:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Wed, 08 Jul 2026 23:00:00 +0000

Type Values Removed Values Added
Description Uninitialized Use in V8 in Google Chrome prior to 150.0.7871.115 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Weaknesses CWE-457
References

cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-07-09T10:36:00.450Z

Reserved: 2026-07-08T17:07:45.050Z

Link: CVE-2026-15132

cve-icon Vulnrichment

Updated: 2026-07-09T10:35:40.102Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-09T03:45:03Z

Weaknesses
  • CWE-457

    Use of Uninitialized Variable