CVE-2026-15114 Overview
CVE-2026-15114 is an out-of-bounds read and write vulnerability [CWE-125] in the Codecs component of Google Chrome versions prior to 150.0.7871.115. A remote attacker can exploit heap corruption by delivering a crafted video file to a targeted user. Successful exploitation requires user interaction, such as opening a malicious page or media resource in the browser. The Chromium project rates the security severity as High, and the CVSS 3.1 base score is 8.8. Impact spans confidentiality, integrity, and availability, making this a viable path to arbitrary code execution within the renderer process. Google released a fix in the Stable channel update for desktop.
Critical Impact
Remote attackers can trigger heap corruption in Chrome's media codec pipeline through a crafted video file, potentially leading to arbitrary code execution in the renderer.
Affected Products
- Google Chrome for Desktop prior to 150.0.7871.115
- Chromium-based browsers sharing the same codec code path
- Downstream distributions bundling the vulnerable Chrome release
Discovery Timeline
- 2026-07-08 - CVE-2026-15114 published to NVD
- 2026-07-09 - Last updated in NVD database
Technical Details for CVE-2026-15114
Vulnerability Analysis
The flaw resides in Chrome's Codecs subsystem, which decodes video streams supplied to the browser. Chrome performs an out-of-bounds read followed by an out-of-bounds write during codec processing of a malformed video file. The condition corrupts adjacent heap memory belonging to the media pipeline. An attacker who controls the video payload can influence which bytes are read and written outside the intended buffer. Combined with heap-grooming techniques, this primitive is sufficient to hijack control flow inside the renderer process. Because the attack vector is network-based and requires only that the victim visit a page hosting the crafted content, mass exploitation through malvertising or watering-hole pages is plausible.
Root Cause
The root cause is missing or incorrect bounds validation when parsing frame or container metadata inside the codec routines. Length or offset fields taken from the untrusted video file are used to index into heap buffers without adequate range checks. Refer to the Chromium Issue Tracker Entry for the upstream disposition.
Attack Vector
Exploitation is remote and requires user interaction. An attacker hosts a crafted video file, typically embedded in an HTML page. When the victim loads the page in a vulnerable Chrome build, the codec parser processes the file and triggers the out-of-bounds access. Successful exploitation yields code execution in the renderer sandbox, which is commonly chained with a sandbox escape for full compromise. No verified public proof-of-concept code is available at the time of publication.
Detection Methods for CVE-2026-15114
Indicators of Compromise
- Chrome renderer processes crashing with heap corruption signatures while playing or previewing video content
- Outbound network requests from browser hosts fetching video containers from newly registered or low-reputation domains
- Unexpected child processes spawned by chrome.exe shortly after media playback
Detection Strategies
- Inventory Chrome installations and flag any build below 150.0.7871.115 as vulnerable
- Inspect browser telemetry and crash reports for repeated renderer terminations tied to codec modules
- Correlate web proxy logs with browser crash events to identify malicious video URLs
Monitoring Recommendations
- Enable and forward Chrome crash reports and enterprise reporting events to a central log platform
- Monitor endpoint EDR telemetry for anomalous process trees originating from the browser
- Alert on downloads of uncommon video container formats from untrusted domains
How to Mitigate CVE-2026-15114
Immediate Actions Required
- Update Google Chrome on all managed endpoints to version 150.0.7871.115 or later
- Force-restart the browser after deployment so patched binaries are loaded into memory
- Apply equivalent updates to Chromium-based browsers once vendors release aligned builds
Patch Information
Google addressed the issue in the Stable channel update for desktop. See the Google Chrome Stable Update announcement for the release notes and version details. Administrators should push the update through enterprise management channels such as Chrome Browser Cloud Management, Group Policy, or MDM tooling.
Workarounds
- Restrict access to untrusted websites through web filtering until patches are deployed
- Disable autoplay of video content and block embedded media on unknown domains via enterprise policy
- Use site isolation and the built-in renderer sandbox, which remain enabled by default in Chrome
# Verify Chrome version on Linux/macOS endpoints
google-chrome --version
# Windows: query installed version via registry
reg query "HKLM\SOFTWARE\Google\Chrome\BLBeacon" /v version
# Enforce minimum version via Chrome Enterprise policy (example JSON)
# /etc/opt/chrome/policies/managed/chrome-min-version.json
{
"BrowserSwitcherEnabled": false,
"RelaunchNotification": 2,
"RelaunchNotificationPeriod": 3600000
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

