CVE-2026-13898

Google · Chrome

A use-after-free vulnerability in the Google Chrome Cast Receiver component could allow an attacker to trigger memory corruption and potentially execute arbitrary code.

Executive summary

A high-severity use-after-free vulnerability in the Google Chrome Cast Receiver component introduces a risk of arbitrary code execution for affected users.

Vulnerability

This vulnerability involves a use-after-free error within the Cast Receiver functionality of Google Chrome. An unauthenticated attacker could leverage this flaw to destabilize the browser or achieve remote code execution.

Business impact

The ability to execute arbitrary code via the browser provides an attacker with a foothold into the user's environment, which can lead to data theft or the installation of malicious software. The CVSS score of 8.8 reflects the high potential for impact, making this a priority for security teams to address to maintain the integrity of user workstations.

Remediation

Immediate Action: Update all instances of Google Chrome to version 150 or later as soon as the patch is available.

Proactive Monitoring: Review system logs for signs of suspicious browser activity, specifically focusing on unexpected process termination in the Cast Receiver module.

Compensating Controls: Use network-level filtering to block known malicious domains and employ endpoint detection and response (EDR) tools to identify malicious browser-based activity.

Exploitation status

Public Exploit Available: false

Analyst recommendation

Immediate patching is required to mitigate this high-severity risk. Security administrators should ensure that automated update mechanisms for Google Chrome are functioning correctly to minimize the window of exposure across the organization.