CVE-2026-6317
Published: 15 April 2026
Summary
CVE-2026-6317 is a high-severity Use After Free (CWE-416) vulnerability in Google Chrome. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Drive-by Compromise (T1189); ranked at the 35.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses the CVE by requiring timely identification, reporting, and remediation of flaws such as the use-after-free vulnerability through patching Chrome to version 147.0.7727.101 or later.
Implements memory protection mechanisms like ASLR, DEP, and stack canaries that directly mitigate use-after-free exploits by preventing unauthorized code execution from corrupted memory.
Deploys malicious code protection tools that can block or detect exploitation attempts via crafted HTML pages leading to arbitrary code execution in the browser.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is a use-after-free in Google Chrome exploited via a crafted HTML page, enabling drive-by compromise (T1189) and exploitation for client execution (T1203) through remote arbitrary code execution requiring user interaction to visit the malicious page.
NVD Description
Use after free in Cast in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: High)
Deeper analysisAI
CVE-2026-6317 is a use-after-free vulnerability (CWE-416) in the Cast component of Google Chrome versions prior to 147.0.7727.101. It allows a remote attacker to execute arbitrary code by tricking a user into visiting a crafted HTML page. The vulnerability carries a Chromium security severity rating of High and a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), indicating high impact on confidentiality, integrity, and availability.
A remote attacker can exploit this vulnerability over the network with low complexity and no required privileges, but it requires user interaction, such as opening a malicious HTML page. Successful exploitation enables arbitrary code execution within the context of the browser, potentially leading to full compromise of the affected system.
Mitigation details are available in the Chrome Releases stable channel update announcement at https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop_15.html and the associated Chromium issue tracker at https://issues.chromium.org/issues/500091052. Users should update to Google Chrome 147.0.7727.101 or later to address the issue.
Details
- CWE(s)