CVE-2026-14107

Google · Chrome

A use-after-free vulnerability exists in the Scheduling component of Google Chrome, potentially allowing for arbitrary code execution.

Executive summary

A critical use-after-free vulnerability in Google Chrome’s Scheduling component poses a significant risk of arbitrary code execution for affected users.

Vulnerability

This is a use-after-free vulnerability located within the browser's Scheduling engine. The flaw can be triggered by an unauthenticated remote attacker via a specially crafted webpage, leading to memory corruption.

Business impact

The vulnerability carries a CVSS score of 8.8, indicating a high potential for severe impact. Successful exploitation could allow an attacker to execute arbitrary code with the privileges of the browser process, leading to a full compromise of user data, session hijacking, or lateral movement within the endpoint environment.

Remediation

Immediate Action: Update all instances of Google Chrome to version 150 or later immediately to resolve the underlying memory management flaw.

Proactive Monitoring: Monitor endpoint logs for unusual browser crashes or unexpected process termination patterns that may indicate exploitation attempts.

Compensating Controls: Deploy endpoint protection platforms (EPP) with exploit prevention capabilities to detect and block anomalous memory access patterns associated with use-after-free attacks.

Exploitation status

Public Exploit Available: false

Analyst recommendation

Given the high severity score and the critical nature of browser-based memory corruption flaws, organizations must prioritize patching. Administrators should enforce an immediate update cycle across all managed devices to mitigate the risk of remote code execution.