CVE-2026-15107 in Chromeinfo

Summary

by MITRE • 07/09/2026

Use after free in IndexedDB in Google Chrome prior to 150.0.7871.115 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium)

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 07/09/2026

This vulnerability represents a critical use-after-free condition within the IndexedDB implementation of Google Chrome browsers prior to version 150.0.7871.115, creating a remote code execution vector that operates entirely within the browser sandbox environment. The flaw manifests when malicious HTML pages manipulate IndexedDB database operations in ways that leave object references in memory after their associated resources have been freed, allowing attackers to exploit this memory management inconsistency for arbitrary code execution.

The technical nature of this vulnerability stems from improper memory handling within Chrome's IndexedDB storage subsystem where objects are not properly validated before access following deallocation. When an attacker crafts a malicious HTML page that triggers specific IndexedDB operations and subsequent cleanup routines, the browser fails to properly enforce object lifetime constraints, resulting in a use-after-free scenario that can be leveraged by remote adversaries. This particular vulnerability falls under CWE-416 which specifically addresses use-after-free conditions in software implementations.

The operational impact of this vulnerability extends beyond simple privilege escalation as it allows attackers to execute arbitrary code within the browser sandbox without requiring additional attack vectors or user interaction beyond visiting a malicious webpage. The Chromium security severity classification of Medium reflects the substantial risk posed by this flaw, particularly given that modern browsers increasingly rely on IndexedDB for storing sensitive data and maintaining application state. Attackers can exploit this vulnerability to bypass traditional browser security boundaries and potentially access or manipulate stored data, execute malicious scripts, or establish persistent access points.

Mitigation strategies for this vulnerability require immediate patching of affected Chrome versions to 150.0.7871.115 or later, as the fix addresses the core memory management issues within IndexedDB operations. Organizations should also implement network-level protections including web application firewalls and content filtering systems that can detect and block known malicious payloads targeting this specific vulnerability class. Additionally, browser hardening measures such as disabling unnecessary IndexedDB functionality for untrusted websites, implementing strict sandboxing policies, and maintaining updated security configurations can provide additional defense layers against exploitation attempts.

This vulnerability demonstrates the ongoing challenges in securing complex browser environments where multiple storage mechanisms and memory management systems interact, highlighting the need for continuous security auditing of core browser components. The ATT&CK framework categorizes this as a technique involving code injection within browser contexts, specifically targeting the browser's data persistence mechanisms to establish malicious execution capabilities that operate below the traditional operating system privilege levels but maintain significant operational impact against end-user security.

Responsible

Chrome

Reservation

07/08/2026

Disclosure

07/09/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Do you know our Splunk app?

Download it now for free!