CVE-2026-12015: Use After Free in Autofill in Google Chrome Prior to 149.0.7827.115
A NVD · · CVE-2026-12015
Admiralty grading (A–F · 1–6)
Source reliability
- A Completely reliable
- B Usually reliable
- C Fairly reliable
- D Not usually reliable
- E Unreliable
- F Cannot be judged
Information credibility
- 1 Confirmed
- 2 Probably true
- 3 Possibly true
- 4 Doubtful
- 5 Improbable
- 6 Cannot be judged
NATO Admiralty (AJP-2.1) grades confidence, independent of the risk score. Cross-source corroboration isn't tracked for non-CVE news, so single-source items are capped at a lower credibility number; a low number does not imply low quality.
Key metrics
- EPSS
- 0%
Key insight
The vulnerability allows an attacker with access to the renderer process to extract sensitive data from process memory; exploitation requires a pre-compromised rendering environment.
Description
CVE-2026-12015 is a use-after-free vulnerability in the Autofill feature of Google Chrome prior to version 149.0.7827.115. The vulnerability allows an attacker who has already compromised the renderer process to extract potentially sensitive information from process memory via a crafted HTML page. Chromium classified this vulnerability as high severity. There are currently no reports of active exploitation in the wild.
Risk score
- cvss base
- 0.00
- kev bonus
- 0.00
- epss bonus
- 0.00
- poc bonus
- 0.00
- raw before weight
- 0.00
- industry weight
- 1.21
- freshness factor
- 1.00
- exploitability factor
- 1.00
- days old
- 0.00
- vendor mismatch penalty
- 0.00
Path: operational