CVE-2026-15111

Google · Chrome

A use-after-free vulnerability in the Views component of Google Chrome allows remote attackers to trigger heap corruption via a crafted HTML page and specific UI gestures.

Executive summary

A critical use-after-free vulnerability in Google Chrome could allow remote attackers to achieve arbitrary code execution via a specially crafted HTML page.

Vulnerability

This is a use-after-free vulnerability (CWE-416) within the Views component of the browser. A remote, unauthenticated attacker can exploit this by enticing a user to perform specific UI gestures on a malicious page, leading to heap corruption.

Business impact

With a CVSS score of 7.5, this vulnerability poses a severe risk to end-user workstations. Successful exploitation can lead to arbitrary code execution within the context of the user, potentially allowing an attacker to gain full control over the affected system, exfiltrate data, or install persistent malware.

Remediation

Immediate Action: Update Google Chrome to version 150.0.7871.115 or later immediately to apply the memory management fix.

Proactive Monitoring: Monitor endpoint detection systems for unusual browser process behavior or unexpected crashes that may indicate exploitation attempts.

Compensating Controls: Deploy browser-level security policies and ensure that users are restricted from executing unauthorized software, which limits the impact of potential code execution.

Exploitation status

Public Exploit Available: No

Analyst recommendation

Browser vulnerabilities are frequent targets for threat actors. Given the nature of use-after-free flaws and their potential for code execution, all users and administrators must ensure Chrome is updated to the latest stable version across all managed endpoints to mitigate this risk.