PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-6362 Google CVE debrief

A use-after-free vulnerability in Google Chrome's media codecs allows remote attackers to potentially perform out-of-bounds memory access via crafted video files. The vulnerability affects Chrome versions prior to 147.0.7727.101 and was assigned a High severity by Chromium security. The CVSS 3.1 score of 4.3 (Medium) reflects network attack vector with user interaction required. The weakness is categorized as CWE-416 (Use After Free). Google addressed this in the April 2026 stable channel update.

Vendor
Google
Product
Chrome
CVSS
MEDIUM 4.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-04-15
Original CVE updated
2026-05-26
Advisory published
2026-04-15
Advisory updated
2026-05-26

Who should care

End users running outdated Chrome versions, enterprise security teams managing browser deployments, content security platforms analyzing video uploads, and organizations with users who regularly access external video content

Technical summary

The vulnerability exists in Chrome's media codec handling where a use-after-free condition can be triggered when processing malformed video files. This memory safety issue could lead to out-of-bounds read access. The attack requires user interaction (opening a crafted video file) and results in limited confidentiality impact with no integrity or availability impact per CVSS scoring. The fix was released in Chrome 147.0.7727.101 on April 15, 2026.

Defensive priority

medium

Recommended defensive actions

  • Update Google Chrome to version 147.0.7727.101 or later
  • Restrict execution of untrusted video files in browser contexts
  • Monitor for unexpected browser crashes when handling video content
  • Apply security updates through Chrome's automatic update mechanism or enterprise deployment tools

Evidence notes

CVE published 2026-04-15; modified 2026-05-26. Vendor advisory confirms fix in Chrome 147.0.7727.101. Chromium issue tracker reference requires permissions. CPE criteria confirms affected versions exclude 147.0.7727.101 and later.

Official resources

2026-04-15