CVE-2026-6309 Google CVE debrief

Who should care

Organizations with unmanaged or broadly deployed Chrome installations; security teams defending against advanced persistent threats employing browser exploitation chains; endpoint protection teams monitoring for sandbox escape indicators

Technical summary

CVE-2026-6309 is a use-after-free vulnerability in the Viz compositor component of Google Chrome. The flaw exists in versions prior to 147.0.7727.101. An attacker who has already compromised the renderer process can exploit this vulnerability to escape the Chrome sandbox. The attack requires a crafted HTML page and user interaction. The vulnerability is classified as High severity by Chromium security standards with a CVSS 3.1 score of 8.3. The underlying weakness is CWE-416 (Use After Free).

Defensive priority

HIGH

Recommended defensive actions

• Update Google Chrome to version 147.0.7727.101 or later across all endpoints
• Prioritize patching for systems where users browse untrusted or adversarial web content
• Consider enabling site isolation and enhanced site isolation policies as defense-in-depth
• Monitor for unusual renderer process crashes or unexpected sandbox escape attempts in Chrome logs
• Review and restrict browser extensions to reduce renderer compromise attack surface

Evidence notes

The CVE description and NVD record confirm this is a use-after-free (CWE-416) in Chrome's Viz component. The vendor advisory from Google Chrome Releases establishes the fixed version as 147.0.7727.101. The Chromium issue tracker reference indicates restricted access (Permissions Required). CVSS 3.1 score of 8.3 reflects network attack vector with high complexity, requiring user interaction, with scope change and high impact across confidentiality, integrity, and availability.

Official resources