Cyber Posture

CVE-2026-6309

High

Published: 15 April 2026

Published
15 April 2026
Modified
17 April 2026
KEV Added
Patch
CVSS Score 8.3 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
EPSS Score 0.0004 11.5th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-6309 is a high-severity Use After Free (CWE-416) vulnerability in Google Chrome. Its CVSS base score is 8.3 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 11.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Privilege Escalation (T1068) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Requires timely remediation of the specific use-after-free flaw in Chrome's Viz component by applying the update to version 147.0.7727.101 or later.

SI-16 Memory Protection good match
prevent

Implements memory protection mechanisms like ASLR, DEP, and stack canaries that directly mitigate exploitation of use-after-free vulnerabilities in the renderer process.

SC-39 Process Isolation partial match
prevent

Enforces process isolation to contain a compromised renderer process and prevent sandbox escape to higher-privilege system components.

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
attack.mitre.org →
T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
attack.mitre.org →
Why these techniques?

Use-after-free in Chrome Viz allows renderer sandbox escape via crafted HTML, directly enabling privilege escalation from sandboxed process and client application code execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Use after free in Viz in Google Chrome prior to 147.0.7727.101 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

Deeper analysisAI

CVE-2026-6309 is a use-after-free vulnerability (CWE-416) in the Viz component of Google Chrome prior to version 147.0.7727.101. This flaw, with a CVSS v3.1 base score of 8.3 (AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H) and rated High severity by Chromium, allows potential exploitation when handling crafted content.

A remote attacker who has compromised the renderer process can exploit this vulnerability through a crafted HTML page to potentially escape the sandbox. The attack requires network access, high complexity, no privileges, user interaction, and results in changed scope with high impacts to confidentiality, integrity, and availability.

Mitigation is available via the Google Chrome stable channel update to version 147.0.7727.101 or later, as detailed in the Chrome Releases blog at https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop_15.html. Additional technical details are tracked in the Chromium issue at https://issues.chromium.org/issues/497846428.

Details

CWE(s)
CWE-416

Affected Products

google
chrome
≤ 147.0.7727.101

CVEs Like This One

CVE-2026-6304Same product: Apple Macos
CVE-2026-4676Same product: Apple Macos
CVE-2026-5289Same product: Apple Macos
CVE-2026-5874Same product: Apple Macos
CVE-2026-6297Same product: Apple Macos
CVE-2026-3924Same product: Apple Macos
CVE-2026-5860Same product: Apple Macos
CVE-2026-7349Same product: Apple Macos
CVE-2026-3923Same product: Apple Macos
CVE-2026-4456Same product: Apple Macos

References