CVE-2026-6307
Published: 15 April 2026
Summary
CVE-2026-6307 is a high-severity Type Confusion (CWE-843) vulnerability in Google Chrome. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Drive-by Compromise (T1189); ranked at the 10.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SC-39 (Process Isolation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-2 requires timely identification and remediation of software flaws like the type confusion in Chrome's Turbofan, directly preventing exploitation by patching to version 147.0.7727.101 or later.
SI-16 implements memory protections such as ASLR and DEP that mitigate exploitation of the type confusion vulnerability for arbitrary code execution.
SC-39 enforces process isolation via sandboxing, containing the arbitrary code execution resulting from the Turbofan type confusion within Chrome's renderer processes.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Type confusion in Chrome V8 enables arbitrary code execution via crafted HTML/JS on a malicious site, directly facilitating drive-by compromise (T1189) and exploitation for client execution (T1203).
NVD Description
Type Confusion in Turbofan in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Deeper analysisAI
CVE-2026-6307 is a type confusion vulnerability in Turbofan, the JavaScript optimizing compiler within the V8 engine of Google Chrome. It affects Google Chrome versions prior to 147.0.7727.101 and is classified under CWE-843 (Type Confusion). The Chromium security team rated it as High severity, with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), indicating high impact on confidentiality, integrity, and availability.
A remote attacker can exploit this vulnerability by tricking a user into visiting a malicious website containing a crafted HTML page. The type confusion in Turbofan enables the execution of arbitrary code within Chrome's sandbox, potentially allowing sandboxed code execution without requiring user privileges beyond interaction with the malicious page.
Mitigation involves updating to Google Chrome 147.0.7727.101 or later, as detailed in the Chrome Releases blog post announcing the stable channel update for desktop on April 15, 2026 (https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop_15.html). Additional technical details are tracked in the Chromium issue tracker (https://issues.chromium.org/issues/497404188).
Details
- CWE(s)