CVE-2026-6364 Google CVE debrief

Who should care

Organizations and individuals using Google Chrome to handle files from external or untrusted sources, particularly those in environments where sensitive data may be present in browser process memory. Security teams responsible for browser security posture and patch management should prioritize this update.

Technical summary

The vulnerability resides in Skia, Chrome's graphics rendering engine. An out-of-bounds read condition can be triggered when processing a specially crafted file, leading to exposure of process memory contents. The attack requires user interaction to open the malicious file. The confidentiality impact is rated high per CVSS, though integrity and availability are unaffected. The fix was released in Chrome 147.0.7727.101.

Defensive priority

medium

Recommended defensive actions

• Upgrade Google Chrome to version 147.0.7727.101 or later to remediate this vulnerability
• Apply security updates through Chrome's automatic update mechanism or manual download from official Google channels
• For managed enterprise environments, validate Chrome version deployment across endpoints and prioritize patching for systems handling untrusted file content
• Monitor for anomalous Chrome crashes or unexpected memory-related behavior that could indicate exploitation attempts
• Review and restrict execution policies for file types that may trigger Skia rendering operations from untrusted sources

Evidence notes

The vulnerability affects Google Chrome versions prior to 147.0.7727.101. The CVSS vector indicates network attack vector, low attack complexity, no privileges required, user interaction required, unchanged scope, and high confidentiality impact with no integrity or availability impact. The weakness is classified as CWE-125 (Out-of-bounds Read) by both the primary and secondary sources.

Official resources