CVE-2026-15110 Overview
CVE-2026-15110 is a use-after-free vulnerability in the Extensions component of Google Chrome prior to version 150.0.7871.115. An attacker who convinces a user to install a malicious extension can trigger heap corruption through a crafted Chrome extension. The Chromium project rates the security severity as High, and the flaw is tracked under CWE-416.
Successful exploitation can lead to arbitrary code execution within the browser process context. User interaction is required, since the attacker must first persuade the target to install the malicious extension.
Critical Impact
Heap corruption through a crafted Chrome extension can enable arbitrary code execution in the browser, exposing browsing sessions, credentials, and cached data.
Affected Products
- Google Chrome for Desktop prior to 150.0.7871.115
- Chromium-based browsers embedding the vulnerable Extensions component
- Chrome Stable channel builds released before the July 2026 update
Discovery Timeline
- 2026-07-08 - CVE-2026-15110 published to NVD
- 2026-07-09 - Last updated in NVD database
Technical Details for CVE-2026-15110
Vulnerability Analysis
The vulnerability is a use-after-free ([CWE-416]) in the Chrome Extensions subsystem. A use-after-free occurs when a program continues to reference memory after it has been released back to the allocator. If an attacker can control the contents of the reallocated region, dereferencing the stale pointer yields attacker-controlled data used as an object, function pointer, or type descriptor.
In the Extensions component, object lifetimes span multiple asynchronous events, including extension load, unload, message passing, and DOM manipulation. Mismanaged reference counts or missing weak-pointer checks in this state machine allow a freed object to be reached through a dangling handle. The condition is reachable from an installed extension, which runs with elevated privileges relative to standard web content.
Root Cause
The root cause is improper object lifetime management within the Extensions code path. A handler retains a raw pointer to an Extensions-owned object that is destroyed while an operation involving the object is still in flight. The subsequent use of the freed allocation corrupts heap metadata or invokes a controlled virtual dispatch.
Attack Vector
Exploitation requires user interaction. The victim must install a malicious extension crafted by the attacker. Once installed, the extension issues the sequence of API calls that triggers the free-then-use condition. Because extensions run with broader capabilities than sandboxed web pages, achieving heap corruption from this surface increases the likelihood of a working renderer or browser-process compromise. The attack vector is Network, since the malicious extension is delivered remotely.
No verified public exploit code is available. See the Chromium Issue Tracker #516948486 and the Google Chrome Stable Update advisory for additional detail as it becomes public.
Detection Methods for CVE-2026-15110
Indicators of Compromise
- Installation of unknown or unsigned Chrome extensions outside of the Chrome Web Store enterprise allowlist.
- Chrome renderer or browser process crashes with heap corruption signatures following extension activity.
- Newly registered extension IDs writing to chrome.storage or issuing outbound requests to attacker-controlled infrastructure.
Detection Strategies
- Inventory installed extensions across managed Chrome fleets using enterprise policy reporting and compare against an approved list.
- Alert on Chrome versions below 150.0.7871.115 reported through endpoint telemetry or software inventory tooling.
- Monitor for anomalous child processes or code execution spawned by chrome.exe shortly after extension installation events.
Monitoring Recommendations
- Ingest Chrome update and crash telemetry into a centralized data lake to correlate crash signatures with extension IDs.
- Track extension install and update events using ExtensionInstallForcelist and ExtensionInstallBlocklist policy logs.
- Review outbound network connections from browser processes for traffic to newly observed domains associated with extension activity.
How to Mitigate CVE-2026-15110
Immediate Actions Required
- Update all Google Chrome desktop installations to version 150.0.7871.115 or later without delay.
- Audit installed extensions and remove any that are unverified, unused, or sourced outside the Chrome Web Store.
- Enforce enterprise policy to restrict extension installation to an explicit allowlist of vetted IDs.
Patch Information
Google released the fix in the Chrome Stable channel update documented in the Google Chrome Stable Update advisory. Upgrading to Chrome 150.0.7871.115 or later remediates CVE-2026-15110. Chromium downstream vendors should incorporate the corresponding upstream patch referenced in Chromium Issue Tracker #516948486.
Workarounds
- Use ExtensionInstallBlocklist set to * combined with an explicit ExtensionInstallAllowlist to prevent installation of untrusted extensions until patching is complete.
- Disable developer mode in Chrome via enterprise policy to block sideloaded unpacked extensions.
- Restrict user privileges so that extension installation requires administrator approval on managed endpoints.
# Configuration example: Chrome enterprise policy to block untrusted extensions
# Windows registry path: HKLM\Software\Policies\Google\Chrome\
ExtensionInstallBlocklist = ["*"]
ExtensionInstallAllowlist = ["<approved-extension-id-1>", "<approved-extension-id-2>"]
DeveloperToolsAvailability = 2
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

