Skip to content
Auto-CTI
Back to today
NEW CRITICAL A3

CVE-2026-12007: Use-After-Free in Google Chrome on Windows Prior to 149.0.7827.115 Allows Remote Code Execution

A NVD · · CVE-2026-12007

Admiralty grading (A–F · 1–6)

Source reliability

  • A Completely reliable
  • B Usually reliable
  • C Fairly reliable
  • D Not usually reliable
  • E Unreliable
  • F Cannot be judged

Information credibility

  • 1 Confirmed
  • 2 Probably true
  • 3 Possibly true
  • 4 Doubtful
  • 5 Improbable
  • 6 Cannot be judged

NATO Admiralty (AJP-2.1) grades confidence, independent of the risk score. Cross-source corroboration isn't tracked for non-CVE news, so single-source items are capped at a lower credibility number; a low number does not imply low quality.

Key metrics

EPSS
0%

Key insight

A use-after-free vulnerability in Chrome's core allows attackers to execute arbitrary code via crafted HTML pages,a frequently exploited attack class targeting browsers.

Description

CVE-2026-12007 is a critical use-after-free vulnerability in Google Chrome's core component on Windows (versions prior to 149.0.7827.115). It allows a remote attacker to execute arbitrary code in the Chrome process context by opening a crafted HTML page. The Chromium security rating is "Critical". Use-after-free bugs in browser engines are typically easier to exploit than other memory flaws and are commonly leveraged in targeted campaigns.

Risk score

54
cvss base
45.00
kev bonus
0.00
epss bonus
0.00
poc bonus
0.00
raw before weight
45.00
industry weight
1.21
freshness factor
1.00
exploitability factor
1.00
days old
0.00
vendor mismatch penalty
0.00

Path: operational

MITRE ATT&CK mapping

2 TTPs
Recon
Resource Dev
Initial Access
T1189 Drive-by Compromise
Execution
T1203 Exploitation for Client Execution
Persistence
Priv. Escal.
Def. Evasion
Cred. Access
Discovery
Lateral Mov.
Collection
C2
Exfiltration
Impact
Conf.: high medium low

Procedure details

Technique Tactic Procedure Conf. Source
T1203
Exploitation for Client Execution
 Execution A use-after-free vulnerability in Google Chrome Core on Windows (CVE-2026-12007) allows a remote attacker to execute arbitrary code by luring a victim to visit a crafted HTML page prior to version 149.0.7827.115. high llm
T1189
Drive-by Compromise
 Initial Access The attacker exploits CVE-2026-12007 via a crafted HTML page delivered through a browser, enabling remote code execution when a victim visits the malicious page without requiring additional user interaction beyond browsing. high llm
ESC