Introduction
A use after free in Google Chrome's CSS layout engine, patched on April 15, 2026, allows any website to trigger remote code execution inside the browser's renderer sandbox simply by serving a crafted HTML page. With Chrome holding roughly 66.7% of the global browser market, the blast radius for unpatched environments is substantial, and the fix involves a subtle but instructive change to how Blink iterates over layout objects during style recalculation.
Technical Information
CVE-2026-6300 is classified under CWE-416 (Use After Free) and carries a CVSS score of 8.8 with a Chromium severity rating of High. The root cause lies in Blink's LocalFrameView::PerformLayout() function, which is responsible for walking the page's layout tree and processing subtree roots that need work.
Root Cause
During layout, the renderer iterates over layout_subtree_root_list_, a list of LayoutObject subtree roots requiring processing. The problem is that interleaved style recalculation can be triggered during this iteration. CSS container queries, for example, re-evaluate when a container is resized during layout. That interleaved recalc can set an element to display:none, which destroys the underlying LayoutObject. When the destroyed object happens to be one of the subtree roots currently being iterated, the list is mutated mid-iteration via ClearLayoutSubtreeRoot(). This leaves a dangling reference in the iteration, producing a use after free.
Attack Flow
Exploitation requires minimal user interaction:
- The victim navigates to a malicious or compromised website.
- The page contains CSS with container queries configured to trigger a resize during the layout pass.
- The interleaved style recalculation destroys a
LayoutObjectthat is still referenced in the subtree root iteration list. - The dangling pointer is dereferenced, enabling arbitrary code execution within the renderer sandbox.
Because the attack vector relies entirely on standard web content delivery, any malicious or compromised website could serve the exploit payload. While execution is constrained within Chrome's sandbox (preventing direct OS level access), this class of vulnerability is commonly chained with sandbox escape bugs to achieve full system compromise.
Patch Information
Google addressed CVE-2026-6300 in commit c34df82, authored by Anders Hartvoll Ruud ([email protected]) on April 7, 2026, and cherry-picked into the 7727 release branch from the original commit c215f8e6 on main. The fix shipped to users on April 15, 2026 in Chrome 147.0.7727.101/.102 (Windows/Mac) and 147.0.7727.101 (Linux). The code review was conducted at CL 7669842 (original) and CL 7735721 (cherry-pick), reviewed by Morten Stenshorne.
The fix touches four files across three logical changes:
1. Iterate on a copy of the list (local_frame_view.cc)
Instead of iterating directly over the live layout_subtree_root_list_.Ordered(), the code now copies it into a local variable first, then iterates on the copy. Crucially, it checks whether each root still exists in the original list before processing it:
// BEFORE (vulnerable): for (auto& root : layout_subtree_root_list_.Ordered()) { bool should_rebuild_fragments = false; LayoutObject& root_layout_object = *root; // ... processing ... } // AFTER (patched): HeapVector<LayoutObjectWithDepth> ordered_roots = layout_subtree_root_list_.Ordered(); for (LayoutObjectWithDepth& root : ordered_roots) { LayoutObject& root_layout_object = *root; if (!layout_subtree_root_list_.Contains(root_layout_object)) { // A previous iteration removed the entry from the list. // This can happen when interleaved style recalc sets the element // associated the layout subtree root to display:none. continue; } bool should_rebuild_fragments = false; // ... processing ... }
This copy then check pattern is intentional. The commit message explains why a simpler std::move approach would not work: the original list must remain intact so the code can detect which roots were invalidated by earlier iterations.
2. New Contains() helper (depth_ordered_layout_object_list.cc / .h)
To support the validity check above, a new Contains() method was added to DepthOrderedLayoutObjectList:
bool DepthOrderedLayoutObjectList::Contains(LayoutObject& object) const { return Unordered().Contains(&object); }
This delegates to the internal HeapHashSet<Member<LayoutObject>>, providing O(1) lookup to verify that a given LayoutObject is still a valid entry in the live list before it is used.
3. Regression test
A Web Platform Test crashtest was added under css/css-conditional/container-queries/crashtests/. It constructs a scenario where a container query causes a layout subtree root to become display:none while layout is in progress, the exact trigger condition for the vulnerability. The test forces layout via document.body.offsetTop, mutates styles that resize a container (triggering the query), and forces layout again to confirm no crash occurs.
Affected Systems and Versions
All Google Chrome versions prior to 147.0.7727.101 on desktop platforms are affected. The patched versions are:
| Platform | Fixed Version |
|---|---|
| Windows | 147.0.7727.101/.102 |
| Mac | 147.0.7727.101/.102 |
| Linux | 147.0.7727.101 |
Any Chromium based browser that incorporates the vulnerable Blink rendering engine code may also be affected, though specific version mappings for downstream browsers (Edge, Opera, Brave, etc.) depend on when they merge the upstream fix.
Vendor Security History
Google maintains a robust vulnerability disclosure and patching process through the Chromium project. The project utilizes a rapid release cycle to push security updates to the Stable channel frequently. The timeline for CVE-2026-6300 reflects this: the fix was authored on April 7, cherry-picked into the release branch, and shipped to users on April 15, an eight day turnaround from code fix to public release. The Chromium issue tracker entry for bug 491994185 remains access restricted, which is standard practice for security bugs until a sufficient percentage of users have updated.
References
- NVD Entry for CVE-2026-6300
- CVE Record: CVE-2026-6300
- Chrome Stable Channel Update for Desktop (April 15, 2026)
- Chromium Issue 491994185
- Patch Commit c34df82
- Patch Diff
- CISA Known Exploited Vulnerabilities Catalog
- Update Google Chrome (Desktop)
- Chromium Blog: Speeding up Chrome's Release Cycle
- StatCounter Browser Market Share
