CVE-2026-6302 Overview
CVE-2026-6302 is a use-after-free vulnerability [CWE-416] in the Video component of Google Chrome prior to version 147.0.7727.101. A remote attacker can execute arbitrary code inside the Chrome renderer sandbox by serving a crafted HTML page to a target user. Google rates the Chromium security severity as High, and the issue carries a CVSS 3.1 base score of 8.8. The flaw affects Chrome on Windows, macOS, and Linux. Exploitation requires user interaction, typically loading or navigating to an attacker-controlled web page. Google addressed the vulnerability in the Stable channel update released on April 15, 2026.
Critical Impact
Remote attackers can achieve arbitrary code execution inside the Chrome sandbox through a crafted HTML page, providing a foothold for further sandbox-escape chains.
Affected Products
- Google Chrome prior to 147.0.7727.101 on Microsoft Windows
- Google Chrome prior to 147.0.7727.101 on Apple macOS
- Google Chrome prior to 147.0.7727.101 on Linux
Discovery Timeline
- 2026-04-15 - Google releases Stable channel update fixing the issue
- 2026-04-15 - CVE-2026-6302 published to NVD
- 2026-04-17 - Last updated in NVD database
Technical Details for CVE-2026-6302
Vulnerability Analysis
The vulnerability resides in Chrome's Video subsystem, which handles media playback, decoding, and rendering for HTML <video> elements and related media APIs. A use-after-free condition occurs when the Video component retains and dereferences a pointer to an object that has already been freed. An attacker who controls the lifecycle of media-related objects through JavaScript and HTML markup can trigger the dangling reference and reclaim the freed memory with attacker-controlled data.
Once the freed allocation is reused, subsequent dereferences operate on attacker-controlled state. This can be leveraged to corrupt object metadata, hijack virtual function tables, or pivot to read/write primitives inside the renderer process. Successful exploitation yields arbitrary code execution within the renderer sandbox. Pairing this flaw with a separate sandbox escape would allow full compromise of the host operating system.
Root Cause
The root cause is improper object lifetime management within the Video pipeline. A reference to a media-related object is held beyond the object's deallocation, violating the ownership model expected by C++ smart pointers and Chromium's task scheduling. Chromium issue 495477995 tracks the fix.
Attack Vector
Exploitation requires a victim to load a crafted HTML page containing malicious media elements and JavaScript that drives the Video component into the vulnerable state. The attack vector is network-based with user interaction. No authentication or elevated privileges are required from the attacker.
No public proof-of-concept is currently available, and the EPSS probability is 0.048%. No verified code examples are available for this issue. Refer to the Chromium Issue Tracker entry 495477995 for technical details once the report is unrestricted.
Detection Methods for CVE-2026-6302
Indicators of Compromise
- Chrome renderer processes crashing or spawning unexpected child processes shortly after loading untrusted web content containing <video> elements.
- Outbound connections from chrome.exe to low-reputation domains immediately following media playback events.
- Unusual file writes or process creations originating from a Chrome renderer process, which should be sandboxed and unable to perform such actions under normal operation.
Detection Strategies
- Inventory Chrome installations across the fleet and alert on versions earlier than 147.0.7727.101.
- Monitor for browser exploitation behaviors such as renderer-to-shell process chains, suspicious memory allocations, and ROP-style execution patterns in chrome.exe.
- Correlate web proxy logs with endpoint telemetry to identify users visiting newly registered or low-reputation domains serving heavy media content.
Monitoring Recommendations
- Enable browser telemetry forwarding to a centralized log platform and retain renderer crash dumps for forensic review.
- Track parent/child process relationships rooted in Chrome and flag any deviation from the standard renderer, GPU, and utility process tree.
- Alert on Chrome processes loading non-standard DLLs or making outbound connections to unusual ports.
How to Mitigate CVE-2026-6302
Immediate Actions Required
- Update Google Chrome to version 147.0.7727.101 or later on all Windows, macOS, and Linux endpoints.
- Force a browser restart after the update to ensure the patched binary is loaded into memory.
- Verify Chromium-based managed browsers and embedded WebViews that share the Chromium media stack and apply vendor patches as they become available.
Patch Information
Google released the fix in the Stable channel update for desktop on April 15, 2026. Details are available in the Google Chrome Desktop Update advisory. Administrators using enterprise deployment tooling should push 147.0.7727.101 or later through Group Policy, Jamf, Intune, or equivalent management platforms.
Workarounds
- Restrict browsing to trusted sites using web filtering or DNS-based controls until patching is complete.
- Disable autoplay and limit media-heavy content from untrusted origins through enterprise browser policies.
- Enforce Site Isolation and ensure the Chrome sandbox is not disabled via command-line flags such as --no-sandbox.
# Verify Chrome version on Linux
google-chrome --version
# Windows: query installed Chrome version via registry
reg query "HKLM\Software\Google\Update\Clients\{8A69D345-D564-463C-AFF1-A69D9E530F96}" /v pv
# macOS: check Chrome version
/Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome --version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
