Cyber Posture

CVE-2026-6316

High
Microsoft: not affectedMSmacOS: not affectedMacLinux: not affectedLnxMobile: not affectedMobNetwork: not affectedNetApplication: affectedAppOther: not affectedOth

Published: 15 April 2026

Published
15 April 2026
Modified
17 April 2026
KEV Added
Patch
CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0015 35.3th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-6316 is a high-severity Use After Free (CWE-416) vulnerability in Google Chrome. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 35.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Client Execution (T1203). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Directly mandates timely identification, reporting, and correction of software flaws like the use-after-free vulnerability in Chrome Forms via patch deployment to version 147.0.7727.101.

SI-16 Memory Protection partial match
prevent

Implements memory safeguards such as ASLR, DEP, and sandboxing enhancements that hinder arbitrary code execution from use-after-free exploits in Chrome.

RA-5 Vulnerability Monitoring and Scanning partial match
detect

Requires vulnerability scanning to identify deployed instances of vulnerable Google Chrome versions affected by CVE-2026-6316.

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
attack.mitre.org →
Why these techniques?

The vulnerability is a use-after-free in Google Chrome's Forms component exploited via a crafted HTML page for arbitrary code execution in the browser sandbox, directly enabling Exploitation for Client Execution (T1203).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

Use after free in Forms in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

Deeper analysisAI

CVE-2026-6316 is a use-after-free vulnerability (CWE-416) in the Forms component of Google Chrome prior to version 147.0.7727.101. Published on 2026-04-15, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) and is classified as High severity by Chromium security.

A remote attacker can exploit this vulnerability via a crafted HTML page, achieving arbitrary code execution inside the browser's sandbox. Exploitation requires user interaction, such as loading the malicious page, but needs no privileges and has low complexity over the network.

Mitigation is available in Google Chrome version 147.0.7727.101 and later, as announced in the stable channel update for desktop on the Chrome Releases blog (https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop_15.html) and detailed in the Chromium issue tracker (https://issues.chromium.org/issues/499384399). Security practitioners should advise users to update promptly.

Details

CWE(s)
CWE-416

Affected Products

google
chrome
≤ 147.0.7727.101

CVEs Like This One

CVE-2026-3921Same product: Apple Macos
CVE-2025-13638Same product: Apple Macos
CVE-2026-7348Same product: Apple Macos
CVE-2025-8578Same product: Apple Macos
CVE-2026-7338Same product: Apple Macos
CVE-2026-7940Same product: Apple Macos
CVE-2026-3919Same product: Apple Macos
CVE-2025-14765Same product: Apple Macos
CVE-2026-2321Same product: Apple Macos
CVE-2025-11460Same product: Apple Macos

References