PatchSiren cyber security CVE debrief
CVE-2026-6308 Google CVE debrief
CVE-2026-6308 is a high-severity out-of-bounds read vulnerability in Google Chrome's Media component, rated CVSS 7.5. The flaw exists in Chrome versions prior to 147.0.7727.101 and requires user interaction through specific UI gestures to trigger. A remote attacker could exploit this via a crafted HTML page to achieve arbitrary code execution. The vulnerability was disclosed on April 15, 2026, with the NVD record last modified on May 26, 2026. No known exploitation in ransomware campaigns has been reported, and the vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog. The root cause is categorized as CWE-125 (Out-of-bounds Read).
- Vendor
- Product
- Chrome
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-04-15
- Original CVE updated
- 2026-05-26
- Advisory published
- 2026-04-15
- Advisory updated
- 2026-05-26
Who should care
Organizations with Google Chrome deployments, security teams responsible for browser security, endpoint administrators managing Chrome updates, and users who interact with web content from untrusted sources
Technical summary
This vulnerability resides in the Media component of Google Chrome and manifests as an out-of-bounds read (CWE-125). The attack requires a remote attacker to deliver a crafted HTML page and convince a victim to perform specific UI gestures, indicating a social engineering component to exploitation. The high attack complexity (AC:H) and user interaction requirement (UI:R) reduce but do not eliminate the threat, as successful exploitation yields high impact across confidentiality, integrity, and availability. The vulnerability was patched in Chrome 147.0.7727.101, released in April 2026. No active exploitation in ransomware campaigns has been confirmed. Organizations should prioritize patching Chrome installations, particularly those in environments where users may interact with untrusted web content.
Defensive priority
high
Recommended defensive actions
- Upgrade Google Chrome to version 147.0.7727.101 or later to remediate this vulnerability
- Review and apply stable channel updates from Google Chrome releases
- Consider implementing application control policies to restrict execution of untrusted HTML content
- Monitor for suspicious web content that requires unusual UI interaction patterns
- Ensure endpoint detection and response (EDR) solutions are configured to detect browser-based exploitation attempts
Evidence notes
The CVE description and NVD metadata confirm this is a Chrome Media component vulnerability with a High severity rating from Chromium. The CPE criteria indicate affected products are Google Chrome versions before 147.0.7727.101. The vendor field shows 'Apple' with medium confidence from NVD CPE data, but this appears to be a platform association rather than the affected product vendor—the actual vulnerable software is Google Chrome per the CVE description and CPE criteria. The CVSS vector AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H indicates network attack vector, high attack complexity, no privileges required, user interaction required, and high impacts to confidentiality, integrity, and availability.
Official resources
-
CVE-2026-6308 CVE record
CVE.org
-
CVE-2026-6308 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Release Notes, Vendor Advisory
-
Source reference
[email protected] - Permissions Required
2026-04-15