CVE-2026-6360 Google CVE debrief

Who should care

Organizations with Chrome deployments, security teams managing browser security posture, endpoint protection administrators, and users handling sensitive web-based applications should prioritize this update. The vulnerability is particularly relevant for environments where users access untrusted web content or where Chrome is used for business-critical applications.

Technical summary

The vulnerability exists in Chrome's FileSystem implementation where improper memory management can lead to a use-after-free condition. When processing specially crafted HTML pages, the browser may reference freed memory objects, potentially resulting in object corruption and subsequent code execution. The CVSS 3.1 score of 8.8 reflects network attack vector, low attack complexity, no privileges required, but user interaction required (typically visiting a malicious page). The confidentiality, integrity, and availability impacts are all rated High. This vulnerability class is frequently targeted in browser exploitation chains and drive-by download attacks.

Defensive priority

high

Recommended defensive actions

• Update Google Chrome to version 147.0.7727.101 or later across all endpoints
• Verify Chrome auto-update is enabled and functioning in enterprise environments
• Review browser extension policies to reduce attack surface from untrusted web content
• Monitor for anomalous browser crashes or unexpected process behavior that may indicate exploitation attempts
• Apply security updates for other Chromium-based browsers (Edge, Brave, Opera) once vendor patches are available

Evidence notes

CVE published 2026-04-15; modified 2026-05-26. Vendor advisory confirms fix in Chrome 147.0.7727.101. CVSS 3.1 vector: AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H.

Official resources