CVE-2026-6304 Google CVE debrief

Who should care

Organizations with managed Chrome deployments, security teams responsible for browser security posture, and incident responders tracking renderer exploitation chains

Technical summary

The vulnerability exists in Chrome's integration of the Graphite font rendering library, where a use-after-free condition can be triggered through crafted HTML content. Successful exploitation requires prior compromise of the renderer process, after which the memory corruption flaw may allow escape from Chrome's sandbox security boundary. The fix was included in the stable channel update released April 15, 2026.

Defensive priority

high

Recommended defensive actions

• Upgrade Google Chrome to version 147.0.7727.101 or later across all managed endpoints
• Verify automatic update mechanisms are functional for Chrome installations
• Review browser isolation policies to limit renderer process compromise impact
• Monitor for anomalous renderer crashes or unexpected sandbox escape attempts
• Audit endpoints for Chrome versions prior to 147.0.7727.101
• resourceLinkAnnotations:ref-4

Evidence notes

The CVE description and NVD record identify Google Chrome as the affected product, with remediation in version 147.0.7727.101. The vendor field indicates Apple with medium confidence based on NVD CPE data; this appears to reflect macOS as an affected platform rather than the vulnerability origin. The Chrome Release Notes confirm the fix date and severity classification.

Official resources