CVE-2026-15117
Google · Chrome
A use-after-free vulnerability in the Google Chrome Payments component allows heap corruption via a crafted HTML page.
Executive summary
A use-after-free vulnerability in Google Chrome could allow a remote attacker to achieve heap corruption and potentially execute arbitrary code.
Vulnerability
This is a use-after-free vulnerability (CWE-416) within the Payments component of Google Chrome. Exploitation requires a remote attacker to convince a user to perform specific UI gestures while viewing a crafted HTML page.
Business impact
The CVSS score of 7.5 (High) reflects the potential for severe system impact, including arbitrary code execution or data tampering. While user interaction is required, the ability to corrupt the heap poses a significant risk to organizational endpoints, potentially leading to a full compromise of the local browser environment and sensitive user data stored within the browser.
Remediation
Immediate Action: Update Google Chrome to version 150.0.7871.115 or later immediately.
Proactive Monitoring: Monitor endpoint browser logs and security telemetry for anomalous process behavior or crash reports that may indicate attempted heap corruption.
Compensating Controls: Ensure that browser-based security policies are enforced and that users are trained to avoid interacting with untrusted or suspicious web content.
Exploitation status
Public Exploit Available: No (No confirmed public exploit available).
Analyst recommendation
Given the critical nature of browser-based vulnerabilities and the potential for heap corruption, it is essential to prioritize the update to version 150.0.7871.115 across all managed endpoints. Apply this security patch immediately to mitigate the risk of remote code execution.