CVE-2026-6302
Published: 15 April 2026
Summary
CVE-2026-6302 is a high-severity Use After Free (CWE-416) vulnerability in Google Chrome. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Drive-by Compromise (T1189); ranked at the 25.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).
Deeper analysis
CVE-2026-6302 is a use-after-free vulnerability (CWE-416) in the Video component of Google Chrome prior to version 147.0.7727.101. Published on 2026-04-15, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) and is classified as High severity by Chromium security.
A remote attacker can exploit this flaw by luring a user to visit a crafted HTML page, which triggers the use-after-free condition in the Video component. Successful exploitation enables the attacker to execute arbitrary code within the browser's sandbox, potentially compromising confidentiality, integrity, and availability with high impact, though it requires user interaction and no special privileges.
Mitigation is available via the stable channel update to Google Chrome 147.0.7727.101 or later, as announced in the Chrome Releases blog post at https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop_15.html and detailed in the Chromium issue tracker at https://issues.chromium.org/issues/495477995. Security practitioners should prioritize updating affected browsers.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-23046
Vulnerability details
Use after free in Video in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Use-after-free in Chrome Video component triggered by crafted HTML page enables drive-by compromise (T1189) and client application exploitation for arbitrary code execution (T1203).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly remediates the use-after-free vulnerability in Chrome's Video component by requiring timely application of the vendor update to version 147.0.7727.101 or later.
Enables scanning and monitoring to identify systems running vulnerable Chrome versions prior to 147.0.7727.101 affected by this use-after-free flaw.
Ensures receipt and dissemination of security advisories on CVE-2026-6302 from sources like Chrome Releases blog, prompting timely flaw remediation.