CVE-2026-6301 Google CVE debrief

Who should care

Organizations relying on Google Chrome for business operations, security teams managing browser attack surface, and users handling sensitive data through web applications should prioritize this update due to the high exploitability and impact potential of JIT compiler vulnerabilities.

Technical summary

The vulnerability exists in Turbofan, Chrome's optimizing JIT compiler for JavaScript. Type confusion (CWE-843) arises when the compiler's type inference system produces incorrect assumptions about object types during speculative optimization, leading to memory safety violations. Successful exploitation requires user interaction with a crafted HTML page but results in arbitrary code execution within the renderer sandbox. The fix was released in Chrome stable channel update dated April 15, 2026.

Defensive priority

high

Recommended defensive actions

• Update Google Chrome to version 147.0.7727.101 or later through the browser's built-in update mechanism or official distribution channels
• Verify update installation by checking chrome://settings/help to confirm the running version meets or exceeds the patched release
• For managed enterprise environments, deploy the updated Chrome version through standard software distribution tools after testing compatibility with internal web applications
• Consider enabling site isolation and enhanced safe browsing features as defense-in-depth measures against similar renderer exploitation techniques
• Monitor for unusual renderer process crashes or unexpected sandbox escape attempts in browser security logs

Evidence notes

Vendor attribution to Apple in source data appears inconsistent with vulnerability description and CPE criteria, which identify Google Chrome as the affected product. Primary evidence sources are Chrome Release Notes and Chromium issue tracker.

Official resources