CVE-2026-6312 Apple CVE debrief

Who should care

Security teams managing Chrome desktop fleets, especially enterprise environments that rely on browser-based authentication or password handling. Users and administrators running Chrome versions earlier than 147.0.7727.101 should prioritize updating.

Technical summary

The source description says insufficient policy enforcement in Passwords in Google Chrome allowed cross-origin data leakage when an attacker had already compromised the renderer process and used a crafted HTML page. NVD maps the issue to Google Chrome versions before 147.0.7727.101 and rates the attack vector as network-reachable with high complexity and user interaction required (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N). This is primarily an information-disclosure weakness, not an integrity or availability impact.

Defensive priority

Medium

Recommended defensive actions

• Update Google Chrome to 147.0.7727.101 or later on all managed desktops.
• Verify fleet-wide browser version compliance, including systems outside standard patch rings.
• Review browser hardening and renderer isolation controls to reduce post-compromise data exposure.
• Treat this as a prompt patching item even though exploitation requires prior renderer compromise and user interaction.
• Monitor vendor advisories and Chromium issue tracking for any follow-on clarifications.

Evidence notes

The NVD record published on 2026-04-15 and modified on 2026-05-10 ties the vulnerability to Google Chrome, with vulnerable CPE criteria ending before 147.0.7727.101. The provided references are the Chrome stable-channel release notes and a Chromium issue marked 'Permissions Required.' NVD's CVSS vector is CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N, and the listed weaknesses are generic (NVD-CWE-noinfo) with a secondary CWE-284 classification. The input vendor field says Apple, but the supplied source corpus and CPE data point to Google Chrome; that mismatch should be treated cautiously.

Official resources