CVE-2026-6360
Published: 15 April 2026
Summary
CVE-2026-6360 is a high-severity Use After Free (CWE-416) vulnerability in Google Chrome. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Drive-by Compromise (T1189); ranked at the 6.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires organizations to remediate flaws like this use-after-free vulnerability through timely application of vendor patches such as Chrome 147.0.7727.101.
Implements memory protection mechanisms that directly mitigate use-after-free vulnerabilities by preventing unauthorized memory access and object corruption.
Enables vulnerability scanning to identify systems running vulnerable Chrome versions affected by this CVE, facilitating targeted remediation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Use-after-free in Chrome FileSystem enables RCE via crafted HTML on malicious site, directly mapping to Drive-by Compromise (T1189) and Exploitation for Client Execution (T1203).
NVD Description
Use after free in FileSystem in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to potentially exploit object corruption via a crafted HTML page. (Chromium security severity: High)
Deeper analysisAI
CVE-2026-6360 is a use-after-free vulnerability (CWE-416) in the FileSystem component of Google Chrome versions prior to 147.0.7727.101. It allows a remote attacker to potentially exploit object corruption through a crafted HTML page. The vulnerability carries a Chromium security severity rating of High and a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), indicating high impacts on confidentiality, integrity, and availability.
A remote attacker can exploit this vulnerability by tricking a user into visiting a malicious website, as it requires user interaction but no special privileges. Successful exploitation could lead to object corruption, potentially enabling arbitrary code execution or other severe compromises within the browser's sandboxed environment.
Google's stable channel update for desktop, detailed at https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop_15.html, addresses the issue in Chrome 147.0.7727.101. Additional technical details are available in the Chromium issue tracker at https://issues.chromium.org/issues/497880137. Security practitioners should ensure users update to the patched version promptly.
Details
- CWE(s)