CVE-2026-15118

Google · Chrome

A use-after-free vulnerability in the Input component of Google Chrome may allow an attacker to achieve arbitrary code execution via a malicious webpage.

Executive summary

A critical use-after-free vulnerability in Google Chrome’s Input component exposes users to potential arbitrary code execution and system-level compromise.

Vulnerability

This vulnerability involves a use-after-free condition (CWE-416) within the Input handling logic of the browser. An unauthenticated attacker can exploit this via a specially crafted website to trigger a crash or execute unauthorized code.

Business impact

With a CVSS score of 8.8, this vulnerability represents a significant threat to organizational security. Compromise of the browser could lead to unauthorized access to sensitive user data, credential theft, or the pivot into internal network resources, resulting in severe operational impact and data loss.

Remediation

Immediate Action: Apply the latest security updates provided by Google for the Chrome browser immediately.

Proactive Monitoring: Review web proxy and browser security logs for attempts to access suspicious URLs or patterns consistent with memory corruption exploitation.

Compensating Controls: Enforce strict browser security policies via Group Policy or MDM, and ensure that endpoint protection software is configured to detect malicious memory access patterns.

Exploitation status

Public Exploit Available: false

Analyst recommendation

The severity of this vulnerability necessitates immediate action. Organizations must ensure that all instances of Google Chrome are updated to the current secure version to eliminate the risk of exploitation and protect the integrity of the endpoint environment.