CVE-2026-15121 in Chromeinfo

Summary

by MITRE • 07/09/2026

Use after free in WebRTC in Google Chrome prior to 150.0.7871.115 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 07/09/2026

This vulnerability represents a critical use-after-free condition in the WebRTC implementation within Google Chrome browsers prior to version 150.0.7871.115, classified under CWE-416 as a use-after-free error that occurs when memory is accessed after it has been freed. The flaw exists within the browser's sandboxed environment where WebRTC functionality handles real-time communication between web applications and external devices such as cameras and microphones. When processing maliciously crafted HTML pages containing specially constructed WebRTC objects, the browser fails to properly manage memory references, leading to a scenario where freed memory blocks are still accessed by subsequent operations.

The technical execution of this vulnerability allows remote attackers to achieve arbitrary code execution within the sandboxed context of the Chrome browser, representing a significant escalation from typical web-based attacks. The attack vector involves delivering a malicious HTML page that triggers specific WebRTC object creation and destruction sequences, which when combined with memory management flaws in the browser's JavaScript engine, creates conditions for memory corruption. This particular vulnerability demonstrates how sandbox escape techniques can be achieved through memory safety issues in complex browser components, particularly those handling multimedia and real-time communication protocols.

The operational impact of this vulnerability extends beyond simple remote code execution as it enables attackers to bypass multiple security layers including the browser's sandbox protection mechanisms. The Chromium security severity classification of High reflects the potential for complete system compromise when successful, since the sandbox escape allows attackers to execute malicious payloads with elevated privileges within the browser environment. This type of vulnerability is particularly dangerous in enterprise environments where users may encounter untrusted web content through phishing campaigns or compromised websites.

Mitigation strategies should include immediate patching of Chrome browsers to version 150.0.7871.115 or later, which contains fixes addressing the specific memory management issues in WebRTC implementation. Organizations should also implement network-level protections such as content filtering and web application firewalls to prevent access to known malicious domains. Additionally, browser hardening measures including disabling unnecessary WebRTC features for users who do not require real-time communication capabilities can reduce attack surface. The vulnerability aligns with ATT&CK technique T1059.007 for PowerShell and T1203 for Exploitation for Client Execution, demonstrating how memory corruption flaws can be leveraged to establish persistent access through browser-based exploitation vectors that bypass traditional endpoint protection mechanisms.

Responsible

Chrome

Reservation

07/08/2026

Disclosure

07/09/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Want to know what is going to be exploited?

We predict KEV entries!