Cyber Resilience

CVE-2026-6919

Critical

Published: 23 April 2026

Published
23 April 2026
Modified
26 May 2026
KEV Added
Patch
CVSS Score v3.1 9.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
EPSS Score 0.0029 20.0th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-6919 is a critical-severity Use After Free (CWE-416) vulnerability in Google Chrome. Its CVSS base score is 9.6 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Stealth (T1211); ranked at the 20.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SC-39 (Process Isolation).

Deeper analysis

CVE-2026-6919 is a use-after-free vulnerability (CWE-416) in the DevTools component of Google Chrome prior to version 147.0.7727.117. This flaw, published on 2026-04-23, carries a CVSS v3.1 base score of 9.6 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H) and is rated High severity by Chromium security.

The vulnerability can be exploited by a remote attacker who has already compromised the renderer process, using a crafted HTML page to potentially achieve a sandbox escape. Exploitation requires user interaction, such as visiting a malicious site, but leverages network access with low complexity and no privileges.

Google addressed the issue in Chrome stable channel version 147.0.7727.117, as announced in the Chrome Releases blog post at https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop_22.html and tracked in Chromium issue 493652473 at https://issues.chromium.org/issues/493652473. Security practitioners should prioritize updating affected Chrome installations to mitigate this high-severity sandbox escape risk.

EU & UK References

Vulnerability details

Use after free in DevTools in Google Chrome prior to 147.0.7727.117 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1211 Exploitation for Stealth Stealth
Adversaries may exploit vulnerabilities to evade detection by hiding activity, suppressing logging, or operating within trusted or unmonitored components.
Why these techniques?

Use-after-free vulnerability in Chrome DevTools exploited via crafted HTML page enables sandbox escape, directly facilitating T1211 (Exploitation for Defense Evasion).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-6921Same product: Google Android
CVE-2026-6920Same product: Google Android
CVE-2026-7357Same product: Google Chrome
CVE-2026-7349Same product: Google Chrome
CVE-2026-7347Same product: Google Chrome
CVE-2026-7342Same product: Google Chrome
CVE-2026-4680Same product: Google Chrome
CVE-2026-10016Same product: Google Chrome
CVE-2026-7355Same product: Google Chrome
CVE-2026-5285Same product: Google Chrome

Affected Assets

google
chrome
≤ 147.0.7727.116

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely identification, reporting, and patching of the specific use-after-free flaw in Chrome DevTools, preventing sandbox escape exploitation.

prevent

Implements memory protection mechanisms like ASLR and DEP to mitigate exploitation of the use-after-free vulnerability in the compromised renderer process.

prevent

Enforces process isolation to contain the impact of potential sandbox escapes from the compromised Chrome renderer process.

References