CVE-2026-6302 Google CVE debrief

Who should care

Organizations with managed Chrome deployments, security teams responsible for browser security, and end users who browse untrusted web content. The vulnerability is particularly relevant for environments where Chrome is used to access external or user-generated content.

Technical summary

The vulnerability exists in Chrome's Video component where improper memory management leads to a use-after-free condition. When processing crafted HTML content, a freed memory object may be accessed, allowing an attacker to corrupt memory and achieve arbitrary code execution within the browser's sandboxed renderer process. The CVSS vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H indicates network attack vector, low attack complexity, no privileges required, user interaction required, unchanged scope, and high impact to confidentiality, integrity, and availability.

Defensive priority

high

Recommended defensive actions

• Update Google Chrome to version 147.0.7727.101 or later across all managed endpoints
• Verify automatic update mechanisms are enabled for Chrome installations
• Review browser extension policies to reduce attack surface from untrusted web content
• Monitor for anomalous browser process behavior that may indicate exploitation attempts
• Apply principle of least privilege for user accounts to limit impact of potential sandbox escapes

Evidence notes

The vulnerability description and affected product information are sourced from the official NVD record and Chrome release notes. The vendor field indicates Apple with medium confidence based on CPE data, though the primary affected product is Google Chrome. The CPE criteria confirm Chrome versions prior to 147.0.7727.101 are vulnerable across multiple platforms including macOS, Linux, and Windows.

Official resources