CVE-2026-13811

Google · Chrome

A use-after-free vulnerability in the Input Method Editor (IME) of Google Chrome may allow remote attackers to execute arbitrary code via a specially crafted website.

Executive summary

A high-severity use-after-free vulnerability in Google Chrome's IME component could allow an attacker to compromise the host system through memory corruption.

Vulnerability

The vulnerability resides in the Input Method Editor (IME) handling logic within the browser. An unauthenticated attacker can exploit this memory management flaw by enticing a user to navigate to a malicious site, resulting in a use-after-free condition.

Business impact

Exploitation of this vulnerability enables attackers to perform unauthorized actions on the user's workstation, potentially leading to data exfiltration or the installation of persistent threats. The CVSS score of 8.8 underscores the severity of this risk, as browser-based vulnerabilities are frequently targeted in drive-by download attacks against enterprise environments.

Remediation

Immediate Action: Update all Google Chrome browser installations to version 150 or higher immediately upon vendor release.

Proactive Monitoring: Review enterprise browser logs for evidence of unexpected crashes or unauthorized script execution within the browser's sandbox.

Compensating Controls: Utilize web filtering and content security policies to restrict access to untrusted or high-risk domains that may attempt to trigger browser exploits.

Exploitation status

Public Exploit Available: false

Analyst recommendation

The risk associated with memory corruption vulnerabilities in widely used browsers like Chrome is critical. Security teams must ensure that update cycles are accelerated for this release, prioritizing the transition to version 150 to mitigate the threat of remote code execution.