Cyber Resilience

CVE-2026-6360

High

Published: 15 April 2026

Published
15 April 2026
Modified
26 May 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0025 16.3th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-6360 is a high-severity Use After Free (CWE-416) vulnerability in Google Chrome. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Drive-by Compromise (T1189); ranked at the 16.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-6360 is a use-after-free vulnerability (CWE-416) in the FileSystem component of Google Chrome versions prior to 147.0.7727.101. It allows a remote attacker to potentially exploit object corruption through a crafted HTML page. The vulnerability carries a Chromium security severity rating of High and a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), indicating high impacts on confidentiality, integrity, and availability.

A remote attacker can exploit this vulnerability by tricking a user into visiting a malicious website, as it requires user interaction but no special privileges. Successful exploitation could lead to object corruption, potentially enabling arbitrary code execution or other severe compromises within the browser's sandboxed environment.

Google's stable channel update for desktop, detailed at https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop_15.html, addresses the issue in Chrome 147.0.7727.101. Additional technical details are available in the Chromium issue tracker at https://issues.chromium.org/issues/497880137. Security practitioners should ensure users update to the patched version promptly.

EU & UK References

Vulnerability details

Use after free in FileSystem in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to potentially exploit object corruption via a crafted HTML page. (Chromium security severity: High)

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1189 Drive-by Compromise Initial Access
Adversaries may gain access to a system through a user visiting a website over the normal course of browsing.
T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
Why these techniques?

Use-after-free in Chrome FileSystem enables RCE via crafted HTML on malicious site, directly mapping to Drive-by Compromise (T1189) and Exploitation for Client Execution (T1203).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-6359Same product: Google Chrome
CVE-2025-1006Same product: Google Chrome
CVE-2025-0995Same product: Google Chrome
CVE-2026-9923Same product: Google Chrome
CVE-2026-9941Same product: Google Chrome
CVE-2026-6358Same product: Google Chrome
CVE-2026-8549Same product: Google Chrome
CVE-2026-8581Same product: Google Chrome
CVE-2026-9934Same product: Google Chrome
CVE-2025-2136Same product: Google Chrome

Affected Assets

google
chrome
≤ 147.0.7727.101

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires organizations to remediate flaws like this use-after-free vulnerability through timely application of vendor patches such as Chrome 147.0.7727.101.

prevent

Implements memory protection mechanisms that directly mitigate use-after-free vulnerabilities by preventing unauthorized memory access and object corruption.

detect

Enables vulnerability scanning to identify systems running vulnerable Chrome versions affected by this CVE, facilitating targeted remediation.

References