Cyber Resilience

CVE-2026-6310

High

Published: 15 April 2026

Published
15 April 2026
Modified
27 May 2026
KEV Added
Patch
CVSS Score v3.1 8.3 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
EPSS Score 0.0025 16.1th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-6310 is a high-severity Use After Free (CWE-416) vulnerability in Google Chrome. Its CVSS base score is 8.3 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 16.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SC-39 (Process Isolation).

Deeper analysis

CVE-2026-6310 is a use-after-free vulnerability (CWE-416) in the Dawn component of Google Chrome versions prior to 147.0.7727.101. Dawn, which handles WebGPU functionality in Chromium-based browsers, contains a memory safety issue that was assigned a CVSS v3.1 base score of 8.3 (AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H) and classified as High severity by the Chromium security team. The flaw was publicly disclosed on April 15, 2026.

A remote attacker could exploit this vulnerability by tricking a user into visiting a crafted HTML page, provided the attacker had already compromised the renderer process. Successful exploitation enables a potential sandbox escape, granting elevated privileges beyond the renderer's isolation and resulting in high-impact confidentiality, integrity, and availability violations across the system scope.

Mitigation involves updating to Google Chrome 147.0.7727.101 or later, as detailed in the stable channel update announced on the Chrome Releases blog (https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop_15.html). Additional technical details are tracked in Chromium issue 497969820 (https://issues.chromium.org/issues/497969820).

EU & UK References

Vulnerability details

Use after free in Dawn in Google Chrome prior to 147.0.7727.101 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

The use-after-free in the renderer (Dawn/WebGPU) directly enables sandbox escape after renderer compromise, mapping to exploitation for privilege escalation with scope change and elevated system access.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-7919Same product: Apple Macos
CVE-2026-9946Same product: Apple Macos
CVE-2026-9925Same product: Apple Macos
CVE-2026-4456Same product: Apple Macos
CVE-2026-7975Same product: Apple Macos
CVE-2026-9891Same product: Apple Macos
CVE-2026-9877Same product: Apple Macos
CVE-2026-7343Same product: Apple Macos
CVE-2026-9931Same product: Apple Macos
CVE-2026-8523Same product: Apple Macos

Affected Assets

google
chrome
≤ 147.0.7727.101

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the use-after-free vulnerability by requiring timely remediation through patching to Chrome 147.0.7727.101 or later.

prevent

Provides memory safeguards like ASLR and DEP that hinder exploitation of the use-after-free bug in the Dawn renderer component.

prevent

Enforces process isolation to contain renderer compromises within the sandbox, reducing the impact of potential escapes.

References