Skip to main content
CVE Vulnerability Database

CVE-2026-6303: Google Chrome Use After Free Vulnerability

CVE-2026-6303 is a use after free vulnerability in Google Chrome Codecs that allows remote attackers to execute arbitrary code via crafted HTML pages. This article covers technical details, affected versions, and mitigation.

Updated:

CVE-2026-6303 Overview

CVE-2026-6303 is a use-after-free vulnerability in the Codecs component of Google Chrome prior to version 147.0.7727.101. A remote attacker can execute arbitrary code inside the Chrome sandbox by serving a crafted HTML page to a targeted user. The flaw is tracked under CWE-416 and rated High severity by Chromium. Exploitation requires user interaction, such as visiting an attacker-controlled web page. Successful exploitation yields code execution within the renderer process sandbox, which adversaries typically pair with a sandbox escape to achieve full system compromise.

Critical Impact

Remote attackers can execute arbitrary code in the Chrome renderer sandbox through a crafted HTML page, providing the foothold required for chained sandbox escape attacks.

Affected Products

  • Google Chrome versions prior to 147.0.7727.101
  • Chrome on Apple macOS, Microsoft Windows, and Linux
  • Chromium-based browsers that share the affected codec code paths

Discovery Timeline

  • 2026-04-15 - CVE-2026-6303 published to NVD
  • 2026-04-15 - Google publishes the Stable channel update for desktop addressing the issue
  • 2026-04-17 - Last updated in NVD database

Technical Details for CVE-2026-6303

Vulnerability Analysis

The vulnerability resides in the Codecs subsystem of Google Chrome, which handles decoding of audio and video media streams within the renderer process. A use-after-free condition occurs when the codec component continues to reference memory that has already been freed. An attacker who controls the timing and content of media operations can manipulate the freed allocation to contain attacker-influenced data. When Chrome later dereferences the dangling pointer, the corrupted object enables control over program execution flow.

Exploitation requires the victim to load a crafted HTML page containing media elements that trigger the vulnerable code path. The resulting code execution is confined to the Chrome sandbox, meaning the attacker must combine this flaw with a separate sandbox escape to access the underlying operating system.

Root Cause

The root cause is improper object lifetime management in the codec implementation, classified as [CWE-416] Use After Free. The vulnerable code retains a pointer to a codec-related object after its memory is released, then dereferences that pointer during subsequent processing. Reference counting or ownership tracking fails to keep the object alive for the duration of all outstanding uses.

Attack Vector

The attack vector is network-based and requires user interaction. An attacker hosts a malicious HTML page with media content engineered to trigger the use-after-free in the codec path. When a victim visits the page using a vulnerable Chrome build, the renderer process processes the crafted media stream and reaches the dangling pointer dereference. The attacker shapes heap layout through scripted allocations to place controlled data in the freed region, achieving arbitrary read and write primitives that lead to code execution inside the sandboxed renderer.

No public proof-of-concept or exploit code is available at the time of publication. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Refer to the Chromium Issue Tracker Entry for additional technical context.

Detection Methods for CVE-2026-6303

Indicators of Compromise

  • Chrome renderer process crashes with signatures consistent with heap corruption when loading media-heavy pages
  • Unexpected child processes spawned from chrome.exe or the Chrome renderer following navigation to untrusted sites
  • Outbound connections from Chrome to domains hosting unfamiliar HTML or media payloads immediately preceding crash events

Detection Strategies

  • Inventory installed Chrome versions across the fleet and flag any build below 147.0.7727.101 as vulnerable
  • Monitor browser telemetry for repeated renderer crashes correlated with specific URLs or referrers
  • Correlate web proxy logs with endpoint telemetry to identify users who visited suspicious sites and subsequently exhibited anomalous browser behavior

Monitoring Recommendations

  • Forward Chrome crash reports and WerFault events to a central SIEM for analysis
  • Track process lineage from browser renderers to detect post-exploitation activity such as shell spawning or LOLBin execution
  • Alert on Chrome processes performing file writes outside the user profile directory or initiating uncommon network connections

How to Mitigate CVE-2026-6303

Immediate Actions Required

  • Update Google Chrome to version 147.0.7727.101 or later on all Windows, macOS, and Linux endpoints
  • Restart Chrome after the update to ensure the patched binaries are loaded into memory
  • Verify Chromium-based browsers in the environment have absorbed the upstream fix and update accordingly

Patch Information

Google released the fix in the Stable channel update for desktop on April 15, 2026, shipping Chrome 147.0.7727.101 for Windows, macOS, and Linux. Details are published in the Google Chrome Update Blog. Administrators should enforce automatic updates through enterprise policy and confirm version compliance via management tooling.

Workarounds

  • Restrict browsing to trusted sites using web filtering or DNS-layer controls until patching is complete
  • Apply Chrome enterprise policies to disable or restrict unnecessary media features on high-risk endpoints
  • Isolate browsing activity for privileged users through remote browser isolation or dedicated workstations
bash
# Verify Chrome version on Linux/macOS endpoints
google-chrome --version

# Windows: check version via registry
reg query "HKLM\Software\Google\Update\Clients\{8A69D345-D564-463C-AFF1-A69D9E530F96}" /v pv

# Force update check (Linux)
sudo apt-get update && sudo apt-get install --only-upgrade google-chrome-stable

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.