Introduction
A use after free vulnerability in Google Chrome's Skia Graphite GPU rasterization backend can allow an attacker who has already compromised the renderer process to escape Chrome's sandbox entirely, gaining access to the underlying operating system. With Chrome commanding roughly 66.7 percent of the global desktop browser market, CVE-2026-6304 represents a significant exposure for virtually every enterprise environment.
Technical Information
Root Cause: Use After Free in the Graphite Rasterization Pipeline
CVE-2026-6304 is a use after free (CWE-416) memory corruption vulnerability in the Graphite component of Google Chrome. Graphite is Skia's next generation GPU rasterization backend, purpose built to replace the legacy Ganesh backend. It is designed around modern graphics APIs including Vulkan, Metal, and Direct3D 12, and is responsible for converting paint commands from the Blink rendering engine into the pixels displayed on screen.
Use after free conditions arise when a program continues to reference a pointer after the memory it addresses has been deallocated. If the freed memory is subsequently reallocated for a different purpose, the dangling pointer can be leveraged to read or write arbitrary data, potentially enabling code execution. In this case, a freed object within the Graphite rasterization pipeline was subsequently accessed, creating the exploitable condition.
Why Graphite Makes This Particularly Dangerous
A critical architectural detail elevates the severity of this bug. In Chrome's multi process architecture, Graphite operates within the GPU process, which runs with broader system privileges than the highly sandboxed renderer process. The renderer sandbox is one of Chrome's primary security boundaries, designed to contain the impact of memory corruption bugs in web content processing. A use after free in the GPU process, however, sits on the other side of that boundary. An attacker who can trigger the bug from a compromised renderer effectively crosses from a restricted environment into a more privileged one.
This is reflected in the CVSS 3.1 vector: AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H, with a base score of 8.3 (HIGH). The "Scope: Changed" designation specifically captures this trust boundary crossing.
| CVSS Metric | Value |
|---|---|
| Attack Vector | Network |
| Attack Complexity | High |
| Privileges Required | None |
| User Interaction | Required |
| Scope | Changed |
| Confidentiality / Integrity / Availability | High / High / High |
Attack Flow
Exploitation of CVE-2026-6304 is a two stage process:
-
Renderer compromise (precondition): The attacker must first compromise Chrome's renderer process. This is not part of CVE-2026-6304 itself and would typically be achieved through a separate vulnerability, such as a type confusion or buffer overflow in V8 or Blink. The renderer is the process that handles parsing and executing web content, making it a frequent target for memory corruption exploits delivered via malicious web pages.
-
Sandbox escape via Graphite: Once the renderer is compromised, the attacker delivers a crafted HTML page (or manipulates rendering commands) that triggers the use after free condition in the Graphite rasterization pipeline running in the GPU process. Because the GPU process operates outside the renderer sandbox with elevated privileges, successful exploitation allows the attacker to escape the sandbox and interact with the underlying operating system.
The requirement for a prior renderer compromise raises the attack complexity, which is why the CVSS vector specifies AC:H. In practice, however, renderer compromises are a well understood class of attack, and chaining two vulnerabilities together for a full sandbox escape is a standard technique in browser exploitation.
Graphite and Skia Architecture Context
For additional context, Skia is the graphics engine used by Google Chrome to render paint commands from Blink and the browser UI into pixels. The Graphite backend was introduced as a modernization effort, and for Chrome's implementation, Google chose to use Dawn (Chrome's WebGPU implementation) as the abstraction layer for platform native graphics APIs. This means Graphite sits at a critical intersection of the rendering pipeline and the GPU hardware abstraction layer.
Patch Information
Google addressed CVE-2026-6304 through a stable channel update released on April 15, 2026. The patched versions are:
| Platform | Patched Version |
|---|---|
| Windows | 147.0.7727.101 / 147.0.7727.102 |
| macOS | 147.0.7727.101 / 147.0.7727.102 |
| Linux | 147.0.7727.101 |
| Android | 147.0.7727.101 |
All Chrome versions prior to 147.0.7727.101 are vulnerable.
This was a point release specifically targeting security fixes, bumping from the initial Chrome 147.0.7727.55 stable release (April 7, 2026). The eight day turnaround from initial stable release to security patch indicates that the Chrome security team treated this vulnerability with urgency. The update includes 31 total security fixes.
The patch corrects the memory management defect that allowed a freed object within the Graphite rasterization pipeline to be subsequently accessed. The exact code level details of the fix are not publicly available; the associated Chromium bug report (Issue 496393742) remains access restricted, which is standard practice for Chrome security bugs until the majority of users have updated.
Downstream Chromium browsers: Because Graphite is part of the core Skia graphics library shared across all Chromium based browsers, downstream browsers such as Microsoft Edge, Brave, Opera, and Vivaldi will need to absorb the upstream Chromium fix into their own release trains. Administrators should verify that all Chromium derived browsers in their environment are updated past this fix boundary, not just Chrome itself.
Enterprise administrators should not rely on Chrome's automatic staged rollout. Instead, organizations should push the update through enterprise MDM or software deployment tooling to minimize the vulnerability window.
Affected Systems and Versions
All Google Chrome desktop versions prior to 147.0.7727.101 are affected. This includes:
- Google Chrome for Windows (versions before 147.0.7727.101)
- Google Chrome for macOS (versions before 147.0.7727.101)
- Google Chrome for Linux (versions before 147.0.7727.101)
- Google Chrome for Android (versions before 147.0.7727.101)
Because the vulnerability resides in the Skia Graphite component, which is shared across the Chromium codebase, all Chromium based browsers that have adopted the Graphite backend are potentially affected until they integrate the upstream fix. This includes Microsoft Edge, Brave, Opera, and Vivaldi.
Vendor Security History
Google maintains a dedicated Chromium security team and a well established Vulnerability Reward Program. Their disclosure policy restricts access to bug details and links until a majority of users are updated with a fix, and security bugs automatically become publicly visible 14 weeks after they are fixed.
CVE-2026-6304 was reported internally by Google on March 26, 2026 and patched on April 15, 2026, demonstrating a 20 day turnaround from report to fix for a high severity issue. Use after free vulnerabilities in Chrome are a recurring class of bug; the Chromium project has been investing in memory safety improvements (including Rust adoption and MiraclePtr) to reduce the frequency of these issues over time.
References
- NVD: CVE-2026-6304
- CVE Record: CVE-2026-6304
- Chrome Releases: Stable Channel Update for Desktop (April 15, 2026)
- Chromium Issue 496393742
- Introducing Skia Graphite: Chrome's Rasterization Backend
- Skia Documentation
- Chromium Security
- CISA Known Exploited Vulnerabilities Catalog
- Browser Market Share Worldwide (StatCounter)
