CVE-2026-12445 Google CVE debrief

Who should care

Users of Google Chrome, particularly those who install extensions from third-party sources, should be aware of this vulnerability and take steps to protect themselves. IT administrators responsible for managing Chrome installations in their organizations should also take note and ensure that all Chrome instances are updated to the latest version.

Technical summary

The CVE-2026-12445 vulnerability is a use after free issue in the Extensions component of Google Chrome. This type of vulnerability occurs when a program attempts to use memory after it has been freed, which can lead to unpredictable behavior, crashes, or exploitation by an attacker. In this case, an attacker could potentially exploit the vulnerability by crafting a malicious Chrome extension that, when installed and used, could lead to heap corruption. The CVSS vector for this vulnerability is CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H, indicating that the vulnerability can be exploited remotely, requires user interaction, and can result in high impacts on confidentiality, integrity, and availability.

Defensive priority

High

Recommended defensive actions

• Update Google Chrome to version 149.0.7827.155 or later
• Be cautious when installing browser extensions, especially from third-party sources
• Regularly review and update installed extensions
• Use official sources for Chrome extensions
• Implement a robust patch management process for Chrome and its extensions
• Monitor for suspicious activity or anomalies in Chrome behavior

Evidence notes

The information provided is based on the CVE record and NVD details. The CVE was published on June 17, 2026, and modified on June 18, 2026. The vulnerability was reported to have a high severity and CVSS score of 7.5.

Official resources