CVE-2026-15108 in Chromeinfo

Summary

by MITRE • 07/09/2026

Integer overflow in Extensions API in Google Chrome prior to 150.0.7871.115 allowed an attacker who convinced a user to install a malicious extension to perform an out of bounds memory read via a crafted Chrome Extension. (Chromium security severity: High)

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 07/09/2026

This vulnerability represents a critical integer overflow condition within the Extensions Application Programming Interface of Google Chrome versions prior to 150.0.7871.115, classified under CWE-190 as an integer overflow or wraparound. The flaw occurs when processing maliciously crafted extension manifests that contain oversized numeric values, specifically affecting the memory allocation routines used by the chrome extensions API. Attackers can exploit this vulnerability by crafting a malicious Chrome extension with malformed integer parameters that cause arithmetic overflow during memory calculations, leading to predictable buffer overflows and subsequent out of bounds memory read operations.

The technical implementation of this vulnerability leverages the way Chrome processes extension metadata, particularly when handling extension manifest files where integer values control memory allocation sizes for various internal data structures. When an attacker crafts a Chrome extension with intentionally oversized numeric fields within its manifest, the integer overflow causes the system to allocate insufficient memory for legitimate operations while simultaneously creating conditions that allow access to adjacent memory regions. This particular flaw falls under the ATT&CK technique T1059.001 for executing malicious code through extension installation and T1547.001 for persistence mechanisms, as the malicious extension can leverage this vulnerability to execute arbitrary code with elevated privileges.

The operational impact of this vulnerability extends beyond simple memory corruption, as it provides attackers with a pathway to extract sensitive information from the browser's memory space, potentially including user credentials, session tokens, or other confidential data. The exploitation requires social engineering to convince users to install the malicious extension, making it particularly dangerous in targeted attacks where attackers can leverage phishing campaigns or compromised extension repositories. This vulnerability affects all Chrome versions up to and including 150.0.7871.114, representing a significant security gap that could enable data exfiltration, privilege escalation, and persistent access to affected systems.

Mitigation strategies for this vulnerability include immediate updating of Chrome browsers to version 150.0.7871.115 or later, where the integer overflow has been patched through proper input validation and bounds checking mechanisms. Organizations should implement extension whitelisting policies and restrict installation permissions to prevent unauthorized extension deployment. Additional protective measures include monitoring for suspicious extension installations, implementing browser security policies that disable potentially dangerous extension APIs, and conducting regular security audits of installed extensions. The fix addresses the root cause by introducing comprehensive integer overflow protections within the chrome extensions API handling code, ensuring that all numeric inputs are properly validated before being used in memory allocation calculations, thereby preventing the conditions that enabled the out of bounds memory read operations.

Responsible

Chrome

Reservation

07/08/2026

Disclosure

07/09/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Do you know our Splunk app?

Download it now for free!