Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-15114

CVE-2026-15114: Google Chrome Codecs RCE Vulnerability

CVE-2026-15114 is a remote code execution flaw in Google Chrome Codecs that allows attackers to exploit heap corruption through crafted video files. This post covers the technical details, affected versions, and mitigation.

Published:

CVE-2026-15114 Overview

CVE-2026-15114 is an out-of-bounds read and write vulnerability [CWE-125] in the Codecs component of Google Chrome versions prior to 150.0.7871.115. A remote attacker can exploit heap corruption by delivering a crafted video file to a targeted user. Successful exploitation requires user interaction, such as opening a malicious page or media resource in the browser. The Chromium project rates the security severity as High, and the CVSS 3.1 base score is 8.8. Impact spans confidentiality, integrity, and availability, making this a viable path to arbitrary code execution within the renderer process. Google released a fix in the Stable channel update for desktop.

Critical Impact

Remote attackers can trigger heap corruption in Chrome's media codec pipeline through a crafted video file, potentially leading to arbitrary code execution in the renderer.

Affected Products

  • Google Chrome for Desktop prior to 150.0.7871.115
  • Chromium-based browsers sharing the same codec code path
  • Downstream distributions bundling the vulnerable Chrome release

Discovery Timeline

  • 2026-07-08 - CVE-2026-15114 published to NVD
  • 2026-07-09 - Last updated in NVD database

Technical Details for CVE-2026-15114

Vulnerability Analysis

The flaw resides in Chrome's Codecs subsystem, which decodes video streams supplied to the browser. Chrome performs an out-of-bounds read followed by an out-of-bounds write during codec processing of a malformed video file. The condition corrupts adjacent heap memory belonging to the media pipeline. An attacker who controls the video payload can influence which bytes are read and written outside the intended buffer. Combined with heap-grooming techniques, this primitive is sufficient to hijack control flow inside the renderer process. Because the attack vector is network-based and requires only that the victim visit a page hosting the crafted content, mass exploitation through malvertising or watering-hole pages is plausible.

Root Cause

The root cause is missing or incorrect bounds validation when parsing frame or container metadata inside the codec routines. Length or offset fields taken from the untrusted video file are used to index into heap buffers without adequate range checks. Refer to the Chromium Issue Tracker Entry for the upstream disposition.

Attack Vector

Exploitation is remote and requires user interaction. An attacker hosts a crafted video file, typically embedded in an HTML page. When the victim loads the page in a vulnerable Chrome build, the codec parser processes the file and triggers the out-of-bounds access. Successful exploitation yields code execution in the renderer sandbox, which is commonly chained with a sandbox escape for full compromise. No verified public proof-of-concept code is available at the time of publication.

Detection Methods for CVE-2026-15114

Indicators of Compromise

  • Chrome renderer processes crashing with heap corruption signatures while playing or previewing video content
  • Outbound network requests from browser hosts fetching video containers from newly registered or low-reputation domains
  • Unexpected child processes spawned by chrome.exe shortly after media playback

Detection Strategies

  • Inventory Chrome installations and flag any build below 150.0.7871.115 as vulnerable
  • Inspect browser telemetry and crash reports for repeated renderer terminations tied to codec modules
  • Correlate web proxy logs with browser crash events to identify malicious video URLs

Monitoring Recommendations

  • Enable and forward Chrome crash reports and enterprise reporting events to a central log platform
  • Monitor endpoint EDR telemetry for anomalous process trees originating from the browser
  • Alert on downloads of uncommon video container formats from untrusted domains

How to Mitigate CVE-2026-15114

Immediate Actions Required

  • Update Google Chrome on all managed endpoints to version 150.0.7871.115 or later
  • Force-restart the browser after deployment so patched binaries are loaded into memory
  • Apply equivalent updates to Chromium-based browsers once vendors release aligned builds

Patch Information

Google addressed the issue in the Stable channel update for desktop. See the Google Chrome Stable Update announcement for the release notes and version details. Administrators should push the update through enterprise management channels such as Chrome Browser Cloud Management, Group Policy, or MDM tooling.

Workarounds

  • Restrict access to untrusted websites through web filtering until patches are deployed
  • Disable autoplay of video content and block embedded media on unknown domains via enterprise policy
  • Use site isolation and the built-in renderer sandbox, which remain enabled by default in Chrome
bash
# Verify Chrome version on Linux/macOS endpoints
google-chrome --version

# Windows: query installed version via registry
reg query "HKLM\SOFTWARE\Google\Chrome\BLBeacon" /v version

# Enforce minimum version via Chrome Enterprise policy (example JSON)
# /etc/opt/chrome/policies/managed/chrome-min-version.json
{
  "BrowserSwitcherEnabled": false,
  "RelaunchNotification": 2,
  "RelaunchNotificationPeriod": 3600000
}

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.