Cyber Resilience

CVE-2026-6363

High

Published: 15 April 2026

Published
15 April 2026
Modified
27 May 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0027 19.0th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-6363 is a high-severity Type Confusion (CWE-843) vulnerability in Google Chrome. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Drive-by Compromise (T1189); ranked at the 19.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SC-18 (Mobile Code).

Deeper analysis

CVE-2026-6363 is a type confusion vulnerability (CWE-843) in the V8 JavaScript engine within Google Chrome versions prior to 147.0.7727.101. It enables a remote attacker to potentially perform out-of-bounds memory access by means of a crafted HTML page. The issue carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) and is rated Medium severity by Chromium security.

A remote attacker without privileges can exploit this vulnerability over the network with low complexity by luring a user to interact with a malicious site, such as by visiting a crafted HTML page. Successful exploitation could result in high impacts to confidentiality, integrity, and availability, potentially allowing arbitrary code execution or system compromise through the out-of-bounds memory access.

Google addressed the vulnerability in Chrome stable channel version 147.0.7727.101, as announced in the Chrome Releases blog post (https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop_15.html) and detailed in the Chromium issue tracker (https://issues.chromium.org/issues/495751197). Security practitioners should prioritize updating affected Chrome installations to mitigate the risk.

EU & UK References

Vulnerability details

Type Confusion in V8 in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to potentially perform out of bounds memory access via a crafted HTML page. (Chromium security severity: Medium)

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1189 Drive-by Compromise Initial Access
Adversaries may gain access to a system through a user visiting a website over the normal course of browsing.
T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
Why these techniques?

Type confusion in Chrome V8 enables RCE via crafted HTML page, directly facilitating drive-by compromise (T1189) and client application exploitation (T1203).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-2135Same product: Google Chrome
CVE-2026-8540Same product: Google Chrome
CVE-2025-1920Same product: Google Chrome
CVE-2025-0291Same product: Google Chrome
CVE-2025-1914Same product: Google Chrome
CVE-2025-0999Same product: Google Chrome
CVE-2026-2650Same product: Google Chrome
CVE-2026-6359Same product: Google Chrome
CVE-2025-0437Same product: Google Chrome
CVE-2025-1006Same product: Google Chrome

Affected Assets

google
chrome
≤ 147.0.7727.101

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely remediation of the type confusion flaw in Chrome's V8 engine by applying the patch released in version 147.0.7727.101.

prevent

Implements memory protection mechanisms such as ASLR and DEP that mitigate out-of-bounds memory access resulting from the V8 type confusion vulnerability.

SC-18 Mobile Code partial match
prevent

Restricts and controls execution of malicious mobile code like JavaScript in crafted HTML pages that exploit the V8 type confusion.

References