Cyber Resilience

CVE-2026-6315

High

Published: 15 April 2026

Published
15 April 2026
Modified
26 May 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0032 23.9th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-6315 is a high-severity Use After Free (CWE-416) vulnerability in Google Chrome. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 23.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-39 (Process Isolation) and SI-16 (Memory Protection).

Deeper analysis

CVE-2026-6315 is a use-after-free vulnerability (CWE-416) in the Permissions component of Google Chrome on Android versions prior to 147.0.7727.101. Published on 2026-04-15, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) and is classified as High severity by the Chromium security team.

A remote attacker can exploit this vulnerability by convincing a targeted user to engage in specific UI gestures while interacting with a crafted HTML page, potentially leading to arbitrary code execution on the affected device.

Google has addressed the issue in Chrome for Android version 147.0.7727.101 and later. For patch details and additional information, refer to the Chrome Releases blog at https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop_15.html and the Chromium issue tracker at https://issues.chromium.org/issues/499247910.

EU & UK References

Vulnerability details

Use after free in Permissions in Google Chrome on Android prior to 147.0.7727.101 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code via a crafted HTML page. (Chromium security severity: High)

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
Why these techniques?

The vulnerability is a client-side use-after-free in Google Chrome leading to arbitrary code execution via a crafted HTML page requiring user interaction, directly mapping to Exploitation for Client Execution (T1203).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-0997Same product: Google Chrome
CVE-2025-0762Same product: Google Chrome
CVE-2026-6319Same product: Google Chrome
CVE-2025-1916Same product: Google Chrome
CVE-2026-6359Same product: Google Chrome
CVE-2025-1006Same product: Google Chrome
CVE-2025-0995Same product: Google Chrome
CVE-2026-9923Same product: Google Chrome
CVE-2026-9941Same product: Google Chrome
CVE-2026-6358Same product: Google Chrome

Affected Assets

google
chrome
≤ 147.0.7727.101

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely remediation of flaws like this use-after-free vulnerability through installation of vendor patches such as Chrome for Android 147.0.7727.101.

prevent

Implements memory safeguards such as ASLR and DEP to directly counter use-after-free exploits leading to arbitrary code execution.

prevent

Enforces process isolation via browser sandboxing to confine arbitrary code execution in the Permissions component and limit system compromise.

References