CVE-2026-6301
Published: 15 April 2026
Summary
CVE-2026-6301 is a high-severity Type Confusion (CWE-843) vulnerability in Google Chrome. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Drive-by Compromise (T1189); ranked at the 10.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mandates timely patching and remediation of known flaws like the type confusion vulnerability in Chrome's Turbofan component.
Requires vulnerability scanning to identify systems running vulnerable Chrome versions affected by CVE-2026-6301.
Ensures organizations monitor and respond to vendor security advisories, such as Chrome release notes announcing patches for CVE-2026-6301.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Type confusion in Chrome JS engine enables RCE via crafted HTML on malicious site, directly mapping to drive-by compromise (T1189), client execution exploitation (T1203), and malicious link delivery (T1204.001).
NVD Description
Type Confusion in Turbofan in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Deeper analysisAI
CVE-2026-6301 is a type confusion vulnerability (CWE-843) in Turbofan, affecting Google Chrome versions prior to 147.0.7727.101. Turbofan is a component within the browser's JavaScript engine. Published on 2026-04-15, the flaw enables a remote attacker to potentially execute arbitrary code inside the sandbox through a crafted HTML page, earning a Chromium security severity rating of High and a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).
A remote attacker can exploit this vulnerability by luring a user to visit a malicious website hosting the crafted HTML page, which requires user interaction but no special privileges. Upon rendering, the type confusion in Turbofan allows the attacker to achieve arbitrary code execution confined to the renderer sandbox, potentially compromising confidentiality, integrity, and availability with high impact.
The Chrome Releases blog announces a stable channel update for desktop to version 147.0.7727.101, which patches this issue along with others. Additional details on the fix are available in Chromium issue tracker entry 495273999. Mitigation involves updating affected Google Chrome installations to 147.0.7727.101 or later.
Details
- CWE(s)