Cyber Posture

CVE-2026-6361

High

Published: 15 April 2026

Published
15 April 2026
Modified
17 April 2026
KEV Added
Patch
CVSS Score 7.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
EPSS Score 0.0002 6.8th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-6361 is a high-severity Heap-based Buffer Overflow (CWE-122) vulnerability in Google Chrome. Its CVSS base score is 7.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 6.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Client Execution (T1203) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Directly remediates the heap buffer overflow in PDFium by requiring timely application of the Chrome 147.0.7727.101 patch.

SI-16 Memory Protection good match
prevent

Implements memory protections like ASLR and DEP that prevent arbitrary code execution from heap buffer overflows in PDFium.

SI-10 Information Input Validation partial match
prevent

Validates crafted PDF inputs to PDFium, reducing the risk of malformed files triggering the buffer overflow.

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
attack.mitre.org →
T1204.002 Malicious File Execution
An adversary may rely upon a user opening a malicious file in order to gain execution.
attack.mitre.org →
Why these techniques?

Heap buffer overflow in PDFium enables arbitrary code execution via crafted PDF requiring user interaction to process the file, directly mapping to client-side exploitation and malicious file execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Heap buffer overflow in PDFium in Google Chrome on Windows prior to 147.0.7727.101 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code inside a sandbox via a crafted PDF file. (Chromium…

more

security severity: High)

Deeper analysisAI

CVE-2026-6361 is a heap buffer overflow vulnerability (CWE-122) in the PDFium component of Google Chrome on Windows versions prior to 147.0.7727.101. Published on 2026-04-15, it carries a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N) and is classified as High severity by Chromium security.

A remote attacker can exploit this vulnerability by convincing a user to engage in specific UI gestures while processing a crafted PDF file, resulting in arbitrary code execution inside the Chrome sandbox.

Google addressed the issue in Chrome version 147.0.7727.101, as detailed in the stable channel update on the Chrome Releases blog (https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop_15.html) and Chromium issue 500036290 (https://issues.chromium.org/issues/500036290). Security practitioners should prioritize updating affected systems to mitigate the risk.

Details

CWE(s)
CWE-122

Affected Products

google
chrome
≤ 147.0.7727.101

CVEs Like This One

CVE-2026-2648Same product: Google Chrome
CVE-2025-0999Same product: Google Chrome
CVE-2025-1426Same product: Google Chrome
CVE-2025-0434Same product: Google Chrome
CVE-2025-0611Same product: Google Chrome
CVE-2026-2650Same product: Google Chrome
CVE-2025-0762Same product: Google Chrome
CVE-2025-0997Same product: Google Chrome
CVE-2026-6315Same product: Google Chrome
CVE-2025-1916Same product: Google Chrome

References