Cyber Posture

CVE-2026-6310

High

Published: 15 April 2026

Published
15 April 2026
Modified
17 April 2026
KEV Added
Patch
CVSS Score 8.3 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
EPSS Score 0.0004 11.5th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-6310 is a high-severity Use After Free (CWE-416) vulnerability in Google Chrome. Its CVSS base score is 8.3 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 11.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SC-39 (Process Isolation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Privilege Escalation (T1068). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Directly mitigates the use-after-free vulnerability by requiring timely remediation through patching to Chrome 147.0.7727.101 or later.

SI-16 Memory Protection partial match
prevent

Provides memory safeguards like ASLR and DEP that hinder exploitation of the use-after-free bug in the Dawn renderer component.

SC-39 Process Isolation partial match
prevent

Enforces process isolation to contain renderer compromises within the sandbox, reducing the impact of potential escapes.

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
attack.mitre.org →
Why these techniques?

The use-after-free in the renderer (Dawn/WebGPU) directly enables sandbox escape after renderer compromise, mapping to exploitation for privilege escalation with scope change and elevated system access.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Use after free in Dawn in Google Chrome prior to 147.0.7727.101 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

Deeper analysisAI

CVE-2026-6310 is a use-after-free vulnerability (CWE-416) in the Dawn component of Google Chrome versions prior to 147.0.7727.101. Dawn, which handles WebGPU functionality in Chromium-based browsers, contains a memory safety issue that was assigned a CVSS v3.1 base score of 8.3 (AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H) and classified as High severity by the Chromium security team. The flaw was publicly disclosed on April 15, 2026.

A remote attacker could exploit this vulnerability by tricking a user into visiting a crafted HTML page, provided the attacker had already compromised the renderer process. Successful exploitation enables a potential sandbox escape, granting elevated privileges beyond the renderer's isolation and resulting in high-impact confidentiality, integrity, and availability violations across the system scope.

Mitigation involves updating to Google Chrome 147.0.7727.101 or later, as detailed in the stable channel update announced on the Chrome Releases blog (https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop_15.html). Additional technical details are tracked in Chromium issue 497969820 (https://issues.chromium.org/issues/497969820).

Details

CWE(s)
CWE-416

Affected Products

google
chrome
≤ 147.0.7727.101

CVEs Like This One

CVE-2026-4456Same product: Apple Macos
CVE-2026-7343Same product: Apple Macos
CVE-2026-6304Same product: Apple Macos
CVE-2026-4676Same product: Apple Macos
CVE-2026-6309Same product: Apple Macos
CVE-2026-5288Same product: Apple Macos
CVE-2026-5289Same product: Apple Macos
CVE-2026-5290Same product: Apple Macos
CVE-2026-5874Same product: Apple Macos
CVE-2026-6297Same product: Apple Macos

References