CVE-2026-15126

Google · Chrome

A use-after-free vulnerability exists in the Forms component of Google Chrome, potentially allowing remote code execution via a specially crafted webpage.

Executive summary

A high-severity use-after-free vulnerability in Google Chrome's Forms component poses a significant risk of arbitrary code execution for unauthenticated users.

Vulnerability

This is a use-after-free (CWE-416) memory corruption vulnerability affecting the Forms engine. An unauthenticated remote attacker can trigger this flaw by enticing a user to visit a malicious website, leading to memory corruption and potential system compromise.

Business impact

The vulnerability carries a CVSS score of 8.8, reflecting its potential for total impact on confidentiality, integrity, and availability. Successful exploitation could allow attackers to execute arbitrary code with the privileges of the browser, leading to unauthorized data access, malware installation, or full system takeover, which presents a severe threat to organizational security and data privacy.

Remediation

Immediate Action: Update all instances of Google Chrome to version 150.0.7871.115 or later immediately.

Proactive Monitoring: Monitor endpoint logs for unusual browser process behavior or unexpected crashes that may indicate exploitation attempts.

Compensating Controls: Ensure that browser-based security features, such as site isolation and sandboxing, are enabled and enforced via enterprise policy.

Exploitation status

Public Exploit Available: false

Analyst recommendation

Given the high CVSS score and the critical nature of memory corruption vulnerabilities in widely used web browsers, prompt patching is essential. Administrators should prioritize deploying the latest Chrome update across all managed endpoints to mitigate the risk of remote code execution.