CVE-2026-15767 in Chrome
Summary
by MITRE • 07/15/2026
Heap buffer overflow in libyuv in Google Chrome on Windows prior to 150.0.7871.125 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted video file. (Chromium security severity: High)
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 07/15/2026
This vulnerability represents a critical heap buffer overflow flaw within the libyuv library component of Google Chrome on Windows systems, specifically affecting versions prior to 150.0.7871.125. The issue stems from improper bounds checking during video processing operations, where maliciously crafted video files can trigger memory corruption that allows attackers to execute arbitrary code within the browser's sandboxed environment. The vulnerability is classified as high severity by Chromium security standards due to its remote exploitability and potential for privilege escalation through sandbox escape techniques.
The technical implementation of this flaw occurs when Chrome processes multimedia content using the libyuv library, which provides optimized image processing functions for video manipulation. During video decoding and frame processing operations, insufficient validation of input parameters leads to memory allocation that does not properly account for buffer boundaries. When an attacker supplies a specially crafted video file containing malformed metadata or compressed frames, the processing routine attempts to write data beyond allocated heap memory regions, creating conditions where adjacent memory can be overwritten with attacker-controlled values.
From an operational perspective, this vulnerability enables remote code execution attacks without requiring user interaction beyond visiting a malicious website or opening a compromised media file. The attack vector leverages the browser's multimedia handling capabilities, making it particularly dangerous in phishing campaigns or compromised websites. Security researchers have identified this issue as mapping to CWE-121 Heap-based Buffer Overflow, which is categorized under the broader ATT&CK technique T1059.007 for Command and Scripting Interpreter and T1548.002 for Abuse of Functionality within the adversary tactics framework.
The exploitation process typically involves crafting a video file with specific memory layout characteristics that cause predictable heap corruption, followed by leveraging the corrupted memory to redirect execution flow to attacker-controlled code within the browser sandbox. Modern exploit mitigations such as ASLR, DEP, and stack canaries may be bypassed due to the nature of heap-based attacks, making this particularly dangerous for targeted attacks against Windows systems where these protections are present.
Organizations should immediately update Chrome installations to version 150.0.7871.125 or later to remediate this vulnerability, as no reliable workarounds exist for this specific heap overflow condition. System administrators should monitor for indicators of compromise related to this vulnerability and implement network-based intrusion detection systems to detect attempts to deliver malicious video content. Additional mitigations include implementing strict content filtering policies for multimedia files, enabling Chrome's built-in security features such as site isolation, and conducting regular security assessments of browser-based applications that handle external media content. The vulnerability also underscores the importance of keeping third-party libraries updated, as libyuv is a commonly used component across multiple software platforms beyond just Chrome.