CVE-2026-12440 Google CVE debrief

Who should care

Users of Google Chrome on Windows, particularly those in organizations with sensitive information, should be aware of this critical vulnerability and take immediate action to update their browsers. IT administrators should prioritize patching this vulnerability to prevent potential sandbox escapes and unauthorized access.

Technical summary

CVE-2026-12440 is a use after free vulnerability in DigitalCredentials in Google Chrome on Windows. This issue occurs when the browser attempts to access memory that has already been freed, allowing a remote attacker to potentially perform a sandbox escape via a crafted HTML page. The vulnerability has a CVSS score of 9.6, indicating a critical severity. The CVSS vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H, indicating that the vulnerability can be exploited over the network with low attack complexity and no privileges required.

Defensive priority

High

Recommended defensive actions

• Update Google Chrome on Windows to version 149.0.7827.155 or later
• Ensure that all users of Google Chrome on Windows are aware of this vulnerability and take action to update their browsers
• Consider implementing additional security measures, such as sandboxing and monitoring, to detect and prevent potential attacks
• Review and update incident response plans to address potential sandbox escapes
• Conduct regular vulnerability assessments and penetration testing to identify and address potential vulnerabilities
• Implement a robust patch management process to ensure timely application of security updates

Evidence notes

The CVE record for CVE-2026-12440 was obtained from the National Vulnerability Database (NVD) and was last modified on June 18, 2026. The vulnerability was publicly disclosed on June 17, 2026. The Google Chrome team has addressed this issue in the stable channel update for desktop, which can be found at [ref-4]. Additional information can be found at [ref-5].

Official resources