Cyber Resilience

CVE-2026-6297

High

Published: 15 April 2026

Published
15 April 2026
Modified
27 May 2026
KEV Added
Patch
CVSS Score v3.1 8.3 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
EPSS Score 0.0020 10.0th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-6297 is a high-severity Use After Free (CWE-416) vulnerability in Google Chrome. Its CVSS base score is 8.3 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Drive-by Compromise (T1189); ranked at the 10.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-6297 is a use-after-free vulnerability (CWE-416) in the Proxy component of Google Chrome prior to version 147.0.7727.101. Published on 2026-04-15, it carries a CVSS v3.1 base score of 8.3 (AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H) and is classified as Critical severity by Chromium security.

The vulnerability can be exploited by an attacker in a privileged network position using a crafted HTML page, which requires user interaction such as visiting a malicious site. Successful exploitation enables potential sandbox escape, granting high-impact privileges with changed scope that affect confidentiality, integrity, and availability.

Google Chrome version 147.0.7727.101 addresses the issue. Additional details are available in the Chrome stable channel update at https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop_15.html and the Chromium issue tracker at https://issues.chromium.org/issues/493628982.

EU & UK References

Vulnerability details

Use after free in Proxy in Google Chrome prior to 147.0.7727.101 allowed an attacker in a privileged network position to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1189 Drive-by Compromise Initial Access
Adversaries may gain access to a system through a user visiting a website over the normal course of browsing.
T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Use-after-free in Chrome Proxy enables drive-by compromise via crafted HTML on malicious site (T1189), client-side code execution (T1203), and sandbox escape for privilege escalation (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-3924Same product: Apple Macos
CVE-2026-8515Same product: Apple Macos
CVE-2026-7357Same product: Apple Macos
CVE-2026-7342Same product: Apple Macos
CVE-2026-4680Same product: Apple Macos
CVE-2026-7355Same product: Apple Macos
CVE-2026-5284Same product: Apple Macos
CVE-2026-7908Same product: Apple Macos
CVE-2026-7918Same product: Apple Macos
CVE-2026-9992Same product: Apple Macos

Affected Assets

google
chrome
≤ 147.0.7727.101

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the use-after-free vulnerability by requiring timely remediation through patching Chrome to version 147.0.7727.101 or later.

prevent

Implements memory protections like ASLR and DEP that directly counter exploitation of use-after-free errors in the Chrome Proxy component.

prevent

Enhances process isolation and sandboxing to limit the scope and impact of potential sandbox escapes triggered by the vulnerability.

References