CVE-2026-6363
Published: 15 April 2026
Summary
CVE-2026-6363 is a high-severity Type Confusion (CWE-843) vulnerability in Google Chrome. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Drive-by Compromise (T1189); ranked at the 21.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SC-18 (Mobile Code).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires timely remediation of the type confusion flaw in Chrome's V8 engine by applying the patch released in version 147.0.7727.101.
Implements memory protection mechanisms such as ASLR and DEP that mitigate out-of-bounds memory access resulting from the V8 type confusion vulnerability.
Restricts and controls execution of malicious mobile code like JavaScript in crafted HTML pages that exploit the V8 type confusion.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Type confusion in Chrome V8 enables RCE via crafted HTML page, directly facilitating drive-by compromise (T1189) and client application exploitation (T1203).
NVD Description
Type Confusion in V8 in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to potentially perform out of bounds memory access via a crafted HTML page. (Chromium security severity: Medium)
Deeper analysisAI
CVE-2026-6363 is a type confusion vulnerability (CWE-843) in the V8 JavaScript engine within Google Chrome versions prior to 147.0.7727.101. It enables a remote attacker to potentially perform out-of-bounds memory access by means of a crafted HTML page. The issue carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) and is rated Medium severity by Chromium security.
A remote attacker without privileges can exploit this vulnerability over the network with low complexity by luring a user to interact with a malicious site, such as by visiting a crafted HTML page. Successful exploitation could result in high impacts to confidentiality, integrity, and availability, potentially allowing arbitrary code execution or system compromise through the out-of-bounds memory access.
Google addressed the vulnerability in Chrome stable channel version 147.0.7727.101, as announced in the Chrome Releases blog post (https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop_15.html) and detailed in the Chromium issue tracker (https://issues.chromium.org/issues/495751197). Security practitioners should prioritize updating affected Chrome installations to mitigate the risk.
Details
- CWE(s)