CVE-2026-15123 Overview
CVE-2026-15123 is a heap corruption vulnerability in the Document Object Model (DOM) implementation of Google Chrome versions prior to 150.0.7871.115. A remote attacker can trigger the flaw by convincing a user to visit a crafted HTML page. Successful exploitation allows the attacker to corrupt heap memory in the renderer process, which can lead to arbitrary code execution within the browser sandbox. The Chromium project rates the underlying security severity as High. The weakness is classified as heap-based memory corruption [CWE-122].
Critical Impact
Remote attackers can achieve heap corruption and potential code execution in the renderer by luring a user to a malicious web page.
Affected Products
- Google Chrome for Desktop prior to version 150.0.7871.115
- Chromium-based browsers sharing the vulnerable DOM code
- Embedded frameworks using vulnerable Chromium builds
Discovery Timeline
- 2026-07-08 - CVE-2026-15123 published to the National Vulnerability Database
- 2026-07-09 - Last updated in NVD database
Technical Details for CVE-2026-15123
Vulnerability Analysis
The vulnerability resides in Chrome's DOM subsystem, which manages the in-memory tree representation of parsed HTML documents. An inappropriate implementation permits a crafted HTML page to place DOM objects into an unexpected state. That state drives allocator or object-lifetime logic down a path the developers did not anticipate. The result is heap corruption inside the renderer process.
Heap corruption in a browser renderer is a well-understood primitive for attackers. Adversaries typically pair it with a separate sandbox escape to achieve full remote code execution on the host. Because exploitation requires only that the victim load a page, drive-by-download and malvertising delivery chains are viable. User interaction is required, but that requirement is satisfied by any page navigation.
Root Cause
The root cause is an inappropriate implementation of DOM logic that violates memory-safety assumptions. According to CWE-122, heap-based buffer errors occur when data is written beyond the bounds of a heap-allocated region or when object metadata is manipulated in ways the allocator does not expect. In Chrome's DOM, such issues frequently stem from incorrect object lifetime tracking, missing bounds validation, or unsafe transitions between element states.
Attack Vector
Exploitation proceeds over the network. The attacker hosts or injects a crafted HTML page that instantiates specific DOM structures and triggers the vulnerable code path. When the victim's browser parses and renders the page, heap metadata or adjacent objects are corrupted. Chained with a sandbox escape, this enables execution outside the renderer. No verified proof-of-concept code is publicly available, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.
No verified public exploit code is available. Refer to the Chromium Issue Tracker Entry once access restrictions are lifted for the authoritative technical description.
Detection Methods for CVE-2026-15123
Indicators of Compromise
- Unexpected child processes spawned by chrome.exe or the renderer helper, such as command shells or scripting hosts
- Renderer process crashes with heap corruption signatures in Chrome crash reports
- Outbound connections from browser processes to unfamiliar domains immediately after visiting an untrusted page
- Chrome versions below 150.0.7871.115 reported by endpoint inventory
Detection Strategies
- Inventory installed Chrome versions across the fleet and flag any build below 150.0.7871.115
- Alert on browser processes writing executables to disk or loading unsigned modules
- Correlate web proxy logs with endpoint telemetry to identify users visiting attacker-controlled pages followed by anomalous browser behavior
- Monitor for renderer crash telemetry patterns consistent with memory corruption exploitation attempts
Monitoring Recommendations
- Enforce continuous version compliance checks against Google's stable channel release notes
- Collect and analyze browser crash dumps centrally to surface exploitation attempts
- Track process-lineage anomalies where Chrome renderers spawn non-browser child processes
How to Mitigate CVE-2026-15123
Immediate Actions Required
- Update all Google Chrome installations to version 150.0.7871.115 or later without delay
- Restart browsers after update to ensure the patched binaries are loaded into memory
- Apply equivalent updates to Chromium-based browsers such as Microsoft Edge, Brave, and Opera as vendors release them
- Restrict browsing to trusted sites on unpatched systems until the update is deployed
Patch Information
Google addressed the vulnerability in the stable channel update announced on July 1, 2026. Administrators should deploy Chrome 150.0.7871.115 or later. See the Google Chrome Update Announcement for the official release notes and the Chromium Issue Tracker Entry for issue tracking.
Workarounds
- Enable enterprise policies that force automatic updates and prevent users from postponing browser restarts
- Deploy site-category web filtering to reduce exposure to unknown or newly registered domains hosting crafted HTML
- Enforce Chrome's site isolation and strict sandbox settings to raise the cost of a successful sandbox escape
# Configuration example: enforce Chrome auto-update on Windows via registry
reg add "HKLM\SOFTWARE\Policies\Google\Update" /v UpdateDefault /t REG_DWORD /d 1 /f
reg add "HKLM\SOFTWARE\Policies\Google\Update" /v AutoUpdateCheckPeriodMinutes /t REG_DWORD /d 60 /f
# Verify installed Chrome version
"C:\Program Files\Google\Chrome\Application\chrome.exe" --version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

