CVE-2026-6315

High

Published: 15 April 2026

Published

15 April 2026

Modified

17 April 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Score 0.0013 31.9th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-6315 is a high-severity Use After Free (CWE-416) vulnerability in Google Chrome. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 31.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-39 (Process Isolation) and SI-16 (Memory Protection).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Client Execution (T1203). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Requires timely remediation of flaws like this use-after-free vulnerability through installation of vendor patches such as Chrome for Android 147.0.7727.101.

SI-16 Memory Protection good match

prevent

Implements memory safeguards such as ASLR and DEP to directly counter use-after-free exploits leading to arbitrary code execution.

SC-39 Process Isolation good match

prevent

Enforces process isolation via browser sandboxing to confine arbitrary code execution in the Permissions component and limit system compromise.

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution

Adversaries may exploit software vulnerabilities in client applications to execute code.

attack.mitre.org →

Why these techniques?

The vulnerability is a client-side use-after-free in Google Chrome leading to arbitrary code execution via a crafted HTML page requiring user interaction, directly mapping to Exploitation for Client Execution (T1203).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

Use after free in Permissions in Google Chrome on Android prior to 147.0.7727.101 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code via a crafted HTML page. (Chromium security severity: High)

Deeper analysisAI

CVE-2026-6315 is a use-after-free vulnerability (CWE-416) in the Permissions component of Google Chrome on Android versions prior to 147.0.7727.101. Published on 2026-04-15, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) and is classified as High severity by the Chromium security team.

A remote attacker can exploit this vulnerability by convincing a targeted user to engage in specific UI gestures while interacting with a crafted HTML page, potentially leading to arbitrary code execution on the affected device.

Google has addressed the issue in Chrome for Android version 147.0.7727.101 and later. For patch details and additional information, refer to the Chrome Releases blog at https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop_15.html and the Chromium issue tracker at https://issues.chromium.org/issues/499247910.

Details

CWE(s): CWE-416

Affected Products

google

chrome

≤ 147.0.7727.101

CVEs Like This One

CVE-2026-6319Same product: Google Chrome

CVE-2025-0762Same product: Google Chrome

CVE-2025-1916Same product: Google Chrome

CVE-2025-0997Same product: Google Chrome

CVE-2025-2476Same product: Google Chrome

CVE-2026-6359Same product: Google Chrome

CVE-2025-2136Same product: Google Chrome

CVE-2025-0995Same product: Google Chrome

CVE-2026-6360Same product: Google Chrome

CVE-2026-6358Same product: Google Chrome

References

https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop_15.html
Release Notes, Vendor Advisory · chrome-cve-admin@google.com
https://issues.chromium.org/issues/499247910
Permissions Required · chrome-cve-admin@google.com