CVE-2026-13779 in Chromeinfo

Summary

by MITRE • 07/01/2026

Use after free in Chromoting in Google Chrome on ChromeOS prior to 150.0.7871.47 allowed a remote attacker to execute arbitrary code via malicious network traffic. (Chromium security severity: Critical)

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 07/01/2026

This vulnerability represents a critical use-after-free condition in the chromoting component of google chrome running on chromeos systems prior to version 150.0.7871.47. The flaw occurs when the chromoting functionality processes malicious network traffic, creating an opportunity for remote code execution attacks. The underlying technical issue stems from improper memory management where freed memory locations are accessed after being deallocated, allowing attackers to manipulate program flow and potentially execute arbitrary code on affected systems.

The vulnerability falls under the common weakness enumeration category of CWE-416 Use After Free, which is classified as a serious memory safety issue that directly impacts software reliability and security. This specific implementation flaw in chromeos chromoting demonstrates how remote attackers can leverage network-based attacks to exploit memory management errors within browser components. The chromium security severity rating of critical indicates the high potential for exploitation and the significant impact on system integrity.

From an operational perspective, this vulnerability creates a substantial risk for chromeos users as it allows remote code execution without requiring local system access or user interaction. Attackers can craft malicious network traffic that triggers the use-after-free condition during normal chromoting operations, potentially leading to full system compromise. The attack surface is particularly concerning given that chromeos devices are often deployed in enterprise environments where they may have elevated privileges and access to sensitive corporate networks.

The exploitation of this vulnerability typically involves sending specially crafted network packets that cause the chromoting component to free memory resources while still maintaining references to those locations. When subsequent operations attempt to access this freed memory, attackers can manipulate the data or overwrite it with malicious code, potentially gaining control over the system's execution flow. This type of attack pattern aligns with the tactics described in the attack tree framework under persistent threat scenarios targeting browser-based components.

Mitigation strategies for this vulnerability require immediate patching to version 150.0.7871.47 or later, which addresses the memory management error through proper resource deallocation and access validation mechanisms. Organizations should also implement network segmentation and monitoring to detect suspicious traffic patterns that might indicate exploitation attempts. Additional defensive measures include disabling unnecessary chromoting functionality when not required, implementing network access controls, and maintaining updated threat intelligence feeds to identify potential exploitation signatures in network traffic. The fix likely involves strengthening memory management checks within the chromoting component to prevent access to freed memory locations and ensure proper resource lifecycle management throughout the component's operation.

Responsible

Chrome

Reservation

06/30/2026

Disclosure

07/01/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

low

Sources

Want to know what is going to be exploited?

We predict KEV entries!