Skip to main content
CVE Vulnerability Database

CVE-2026-6364: Google Chrome Information Disclosure Bug

CVE-2026-6364 is an out of bounds read vulnerability in Google Chrome's Skia component that enables attackers to access sensitive memory data. This article covers technical details, affected versions, and mitigation.

Updated:

CVE-2026-6364 Overview

CVE-2026-6364 is an out-of-bounds read vulnerability in the Skia graphics library used by Google Chrome. The flaw affects Chrome versions prior to 147.0.7727.101 and is categorized under CWE-125: Out-of-bounds Read. A remote attacker can exploit this issue by serving a crafted file to a victim, leading to the disclosure of potentially sensitive information from process memory. Google rated the Chromium security severity as Medium. Exploitation requires user interaction, such as opening a malicious page or file rendered by Skia.

Critical Impact

Successful exploitation enables remote attackers to read out-of-bounds memory from the Chrome process, potentially leaking sensitive runtime data through a crafted file.

Affected Products

  • Google Chrome on desktop platforms prior to version 147.0.7727.101
  • Chromium-based components that embed the vulnerable Skia rendering code
  • Downstream Chromium browsers that have not yet integrated the Stable channel update

Discovery Timeline

  • 2026-04-15 - CVE-2026-6364 published to NVD
  • 2026-04-15 - Google releases Chrome Stable channel update addressing the issue
  • 2026-04-17 - Last updated in NVD database

Technical Details for CVE-2026-6364

Vulnerability Analysis

The vulnerability resides in Skia, the 2D graphics library Chrome uses to render images, fonts, and canvas elements. An out-of-bounds read occurs when Skia parses a crafted file and accesses memory beyond the bounds of an allocated buffer. The condition allows an attacker to retrieve adjacent bytes from process memory, which may contain pointers, tokens, or other sensitive data structures.

Because Skia processes untrusted content from web pages, the attack surface includes any HTML page that embeds the malicious resource. The CVSS vector indicates network-based delivery with user interaction required, and impact is limited to confidentiality. Integrity and availability of the browser are not directly affected by this read primitive.

Root Cause

The root cause is improper bounds checking in a Skia parsing or rendering routine. When a malformed input file specifies dimensions or offsets that exceed the allocated buffer, the code reads past the valid memory region. See the Chromium Issue Tracker Entry for the upstream tracking record.

Attack Vector

An attacker hosts a crafted file on a web page or delivers it through an embedded resource. When the victim loads the page in a vulnerable Chrome build, Skia processes the file and triggers the out-of-bounds read. The leaked bytes can be exfiltrated through script-accessible APIs that observe rendering output or timing side channels. No authentication is required, and the attack succeeds at low complexity.

No public proof-of-concept code or in-the-wild exploitation has been reported. Technical details are described in prose because no verified exploit code is available from upstream sources.

Detection Methods for CVE-2026-6364

Indicators of Compromise

  • Chrome process crashes or renderer terminations correlated with loading specific image or graphics files
  • Outbound web requests to pages serving malformed Skia-rendered content followed by anomalous data exfiltration
  • Browser telemetry showing repeated rendering errors tied to the same untrusted origin

Detection Strategies

  • Inventory installed Chrome versions across the fleet and flag any build below 147.0.7727.101 as exposed
  • Inspect web proxy and DNS logs for user navigation to untrusted sites serving uncommon image, font, or canvas payloads
  • Correlate endpoint crash dumps from chrome.exe renderer processes with Skia module stack frames

Monitoring Recommendations

  • Enable centralized browser version reporting through enterprise management policies
  • Forward Chrome crash and stability telemetry to a SIEM for trend analysis
  • Alert on renderer process anomalies that coincide with first-time visits to low-reputation domains

How to Mitigate CVE-2026-6364

Immediate Actions Required

  • Update all Chrome installations to version 147.0.7727.101 or later on Windows, macOS, and Linux
  • Restart Chrome after applying the update to ensure the patched Skia library is loaded
  • Audit Chromium-based browsers and embedded webviews for downstream patches that incorporate the Skia fix

Patch Information

Google published the fix in the Chrome Stable channel update referenced in the Google Chrome Stable Update advisory. Administrators should deploy the update through managed software distribution or allow Chrome's automatic update mechanism to apply it. Verify the running version via chrome://settings/help after deployment.

Workarounds

  • Restrict browsing to trusted sites using enterprise URL allow-lists until patching completes
  • Disable rendering of untrusted image and font content where feasible through enterprise policy
  • Use site isolation and sandboxing defaults to limit the blast radius of any successful read primitive
bash
# Configuration example: verify Chrome version on Linux endpoints
google-chrome --version | awk '{print $3}'
# Expected output: 147.0.7727.101 or later

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.