CVE-2026-6308

High

Published: 15 April 2026

Published

15 April 2026

Modified

17 April 2026

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Score 0.0003 9.9th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-6308 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Google Chrome. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 9.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-39 (Process Isolation) and SI-16 (Memory Protection).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Client Execution (T1203). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

SI-2 requires timely flaw remediation, directly addressing this known out-of-bounds read vulnerability by applying the Chrome patch in version 147.0.7727.101.

SI-16 Memory Protection good match

prevent

SI-16 implements memory protection mechanisms like ASLR and DEP that directly mitigate out-of-bounds read exploits leading to arbitrary code execution.

SC-39 Process Isolation good match

prevent

SC-39 enforces process isolation, such as Chrome's sandboxing for media components, to prevent arbitrary code execution from propagating beyond the isolated process.

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution

Adversaries may exploit software vulnerabilities in client applications to execute code.

attack.mitre.org →

Why these techniques?

Out-of-bounds read in Chrome media component enables remote exploitation of client application vulnerability via crafted HTML page and UI interaction to achieve arbitrary code execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Out of bounds read in Media in Google Chrome prior to 147.0.7727.101 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code via a crafted HTML page. (Chromium security severity: High)

Deeper analysisAI

CVE-2026-6308 is an out-of-bounds read vulnerability (CWE-125) in the Media component of Google Chrome prior to version 147.0.7727.101. Published on 2026-04-15, it carries a CVSS v3.1 base score of 7.5 (AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H) and is classified as High severity by Chromium security.

A remote attacker can exploit this vulnerability by convincing a targeted user to engage in specific UI gestures while visiting a crafted HTML page, resulting in arbitrary code execution on the victim's system.

Mitigation is available in Google Chrome version 147.0.7727.101 and later. Additional details are provided in the Chrome stable channel update at https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop_15.html and the Chromium issue tracker at https://issues.chromium.org/issues/497412658.

Details

CWE(s): CWE-125

Affected Products

google

chrome

≤ 147.0.7727.101

CVEs Like This One

CVE-2026-4462Same product: Apple Macos

CVE-2026-4674Same product: Apple Macos

CVE-2026-3540Same product: Apple Macos

CVE-2026-4677Same product: Apple Macos

CVE-2026-3926Same product: Apple Macos

CVE-2026-4460Same product: Apple Macos

CVE-2026-5292Same product: Apple Macos

CVE-2026-3916Same product: Apple Macos

CVE-2026-5907Same product: Apple Macos

CVE-2025-12725Same product: Apple Macos

References

https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop_15.html
Release Notes, Vendor Advisory · chrome-cve-admin@google.com
https://issues.chromium.org/issues/497412658
Permissions Required · chrome-cve-admin@google.com