CVE-2026-12014: Use After Free in Cast in Google Chrome prior to 149.0.7827.115
A NVD · · CVE-2026-12014
Admiralty grading (A–F · 1–6)
Source reliability
- A Completely reliable
- B Usually reliable
- C Fairly reliable
- D Not usually reliable
- E Unreliable
- F Cannot be judged
Information credibility
- 1 Confirmed
- 2 Probably true
- 3 Possibly true
- 4 Doubtful
- 5 Improbable
- 6 Cannot be judged
NATO Admiralty (AJP-2.1) grades confidence, independent of the risk score. Cross-source corroboration isn't tracked for non-CVE news, so single-source items are capped at a lower credibility number; a low number does not imply low quality.
Key metrics
- EPSS
- 0%
Key insight
The vulnerability enables sandbox escape through malicious local network traffic, going beyond a simple crash and allowing code execution with elevated privileges.
Description
CVE-2026-12014 is a use-after-free vulnerability in the Cast functionality of Google Chrome prior to version 149.0.7827.115. An attacker on the same local network segment can exploit this vulnerability to bypass the Chrome sandbox and potentially execute commands with the privileges of the Chrome process. The Chromium security rating is "High". The vulnerability is triggered by crafted network traffic and could lead to complete system compromise.
Risk score
- cvss base
- 0.00
- kev bonus
- 0.00
- epss bonus
- 0.00
- poc bonus
- 0.00
- raw before weight
- 0.00
- industry weight
- 1.21
- freshness factor
- 1.00
- exploitability factor
- 1.00
- days old
- 0.00
- vendor mismatch penalty
- 0.00
Path: operational