CVE-2026-6299
Published: 15 April 2026
Summary
CVE-2026-6299 is a high-severity Use After Free (CWE-416) vulnerability in Google Chrome. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 25.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-39 (Process Isolation) and SI-16 (Memory Protection).
Deeper analysis
CVE-2026-6299 is a use-after-free vulnerability (CWE-416) in the Prerender component of Google Chrome prior to version 147.0.7727.101. Published on 2026-04-15, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) and is classified as Critical by Chromium security severity standards. The flaw enables a remote attacker to execute arbitrary code through a crafted HTML page.
A remote attacker without privileges can exploit this over the network with low complexity, though it requires user interaction, such as visiting a malicious webpage. Successful exploitation results in high impacts across confidentiality, integrity, and availability, culminating in arbitrary code execution on the affected system.
Advisories detail mitigation via the Google Chrome stable channel update for desktop, available at https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop_15.html. The fix is tracked in Chromium issue https://issues.chromium.org/issues/497053588, and users should update to version 147.0.7727.101 or later.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-23040
Vulnerability details
Use after free in Prerender in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: Critical)
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Use-after-free in Chrome Prerender enables RCE via crafted HTML webpage, directly mapping to T1203 (Exploitation for Client Execution) and T1204.001 (Malicious Link) due to required user interaction visiting the malicious page.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-2 requires timely flaw remediation, directly addressing the use-after-free vulnerability by mandating updates to Chrome version 147.0.7727.101 or later.
SI-16 implements memory protections specifically designed to mitigate use-after-free vulnerabilities like CWE-416 in the Prerender component.
SC-39 enforces process isolation, such as browser sandboxing, to contain arbitrary code execution from the exploited Prerender process.