PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-6299 Google CVE debrief

A use-after-free vulnerability in Google Chrome's Prerender feature allows remote code execution via crafted HTML pages. The vulnerability affects Chrome versions prior to 147.0.7727.101 and carries a Critical severity rating from Chromium security. The use-after-free condition (CWE-416) in the Prerender component could enable an attacker to corrupt memory and execute arbitrary code in the context of the browser process. This vulnerability was disclosed in April 2026 and modified in late May 2026. No known exploitation in ransomware campaigns has been reported.

Vendor
Google
Product
Chrome
CVSS
HIGH 8.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-04-15
Original CVE updated
2026-05-26
Advisory published
2026-04-15
Advisory updated
2026-05-26

Who should care

Organizations with Chrome deployments, security teams responsible for browser security, endpoint protection teams, and users handling sensitive data through web browsers should prioritize patching. The critical severity and remote attack vector make this a high-priority vulnerability for enterprise patch management programs.

Technical summary

The vulnerability exists in Chrome's Prerender functionality, which proactively loads web pages in the background to improve perceived performance. A use-after-free condition occurs when memory is accessed after it has been freed, potentially allowing an attacker to manipulate object pointers and achieve arbitrary code execution. The attack vector requires user interaction (UI:R) to render a crafted HTML page, but no privileges are required and the attack complexity is low. Successful exploitation could result in complete compromise of confidentiality, integrity, and availability within the browser security context.

Defensive priority

critical

Recommended defensive actions

  • Update Google Chrome to version 147.0.7727.101 or later to address the use-after-free vulnerability in Prerender
  • Consider disabling Prerender features via enterprise policy if immediate patching is not feasible and the functionality is not required
  • Monitor for suspicious HTML content delivery to endpoints, particularly from untrusted sources
  • Review browser crash reports and memory-related anomalies for potential exploitation indicators
  • Apply defense-in-depth measures including site isolation and sandboxing to limit impact of browser memory corruption vulnerabilities

Evidence notes

The CVE description identifies a use-after-free in Prerender affecting Chrome prior to 147.0.7727.101. CPE data confirms the vulnerable product as Google Chrome with version bound excluding 147.0.7727.101. CVSS 3.1 vector AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H yields score 8.8 (HIGH). CWE-416 (Use After Free) is identified as the weakness. The vendor field shows Apple with medium confidence from NVD CPE data, but this appears to be a data quality issue—the vulnerability clearly affects Google Chrome per the description and CPE criteria.

Official resources

2026-04-15