Introduction
A use after free vulnerability in Google Chrome's Video component gives remote attackers a path to arbitrary code execution inside the browser sandbox, requiring nothing more than a victim clicking a link to a crafted HTML page. With Chrome running on roughly two thirds of all browsers worldwide, CVE-2026-6302 and its CVSS 3.1 score of 8.8 represent a meaningful risk surface for virtually every organization.
Technical Information
The root cause of CVE-2026-6302 is a use after free condition (CWE-416) in Chrome's Video component. A use after free occurs when application code dereferences a pointer to memory that has already been freed and potentially reallocated for a different purpose. In the context of a browser, this class of bug is particularly dangerous because the attacker can influence heap layout through JavaScript and DOM manipulation, increasing the likelihood that freed memory is reclaimed with attacker controlled data.
The CVSS 3.1 vector breaks down as follows:
| Metric | Value | Description |
|---|---|---|
| Base Score | 8.8 | High severity |
| Attack Vector | Network | Exploitable over the internet |
| Attack Complexity | Low | No specialized access conditions required |
| Privileges Required | None | Attacker needs no prior authentication |
| User Interaction | Required | Victim must visit a crafted HTML page |
| Scope | Unchanged | Remains within the vulnerable component |
| Confidentiality Impact | High | Total loss of information within context |
| Integrity Impact | High | Total compromise of data integrity |
| Availability Impact | High | Complete denial of service within context |
Attack Flow
From an exploitation perspective, the attack would proceed as follows:
- The attacker constructs a malicious HTML page that triggers specific Video component behavior in Chrome, causing a memory object to be freed prematurely.
- The attacker uses heap shaping techniques (commonly via JavaScript typed arrays or other allocator friendly objects) to reclaim the freed memory with controlled content.
- When Chrome's Video component subsequently accesses the dangling pointer, it operates on attacker controlled data, enabling arbitrary code execution.
- The victim is lured to the attacker controlled page through phishing, malvertising, or embedding the payload in an iframe on a compromised site.
- Code execution occurs within the Chrome renderer sandbox. While the sandbox constrains the blast radius, the attacker achieves full control within that context, with high impact to confidentiality, integrity, and availability.
The vulnerability was reported by the security researcher Syn4pse on March 24, 2026. Google has restricted access to the specific bug details and related links until a majority of users have received the update, which is standard practice to limit the window for reverse engineering and exploit development.
Affected Systems and Versions
All Google Chrome versions prior to 147.0.7727.101 are affected. The fixed versions by operating system are:
| Operating System | Minimum Secure Version |
|---|---|
| Windows | 147.0.7727.101 or 147.0.7727.102 |
| Mac | 147.0.7727.101 or 147.0.7727.102 |
| Linux | 147.0.7727.101 |
Any Chromium based browser that incorporates the vulnerable Video component code may also be affected, though specific version mappings for downstream browsers (Edge, Brave, Opera, etc.) will depend on their respective update schedules.
Vendor Security History
Google Chrome's security track record reflects both the scale of its attack surface and the maturity of its defensive investments. The Chromium project employs AddressSanitizer, MemorySanitizer, UndefinedBehaviorSanitizer, Control Flow Integrity, libFuzzer, and AFL to proactively detect memory corruption issues. The Vulnerability Rewards Program incentivizes external researchers to report bugs responsibly.
Despite these measures, Chrome remains a high value target. The April 15, 2026 stable channel update that addressed CVE-2026-6302 included 31 distinct security fixes. More critically, March 2026 saw confirmed in the wild exploitation of at least two other Chrome vulnerabilities:
| Vulnerability ID | Component | Reported Date | In the Wild Exploitation |
|---|---|---|---|
| CVE-2026-6302 | Video | March 24, 2026 | None reported currently |
| CVE-2026-5281 | Dawn | March 31, 2026 | Confirmed by Google |
| CVE-2026-3910 | Unknown | March 10, 2026 | Confirmed by Google |
This pattern of rapid weaponization of Chrome memory corruption flaws reinforces the importance of treating CVE-2026-6302 as a high priority remediation item, even in the absence of confirmed exploitation.
References
- NVD Entry for CVE-2026-6302
- MITRE CVE Record for CVE-2026-6302
- Chrome Stable Channel Update for Desktop (April 15, 2026)
- Chromium Issue Tracker: Issue 495477995
- Chrome Stable Channel Update for Desktop (March 31, 2026)
- Chrome Stable Channel Update for Desktop (March 12, 2026)
- Chromium Security Overview
- StatCounter Browser Market Share
- TheHackerWire: CVE-2026-6302
