Introduction
A type confusion flaw in Chrome's Turbofan JIT compiler now gives remote attackers a path to arbitrary code execution inside the renderer sandbox, requiring nothing more than a visit to a malicious webpage. With Chrome commanding roughly 66.7 percent of the global browser market, CVE-2026-6307 represents a significant attack surface that security teams need to address promptly across desktop and mobile fleets.
Technical Information
Root Cause: Speculative Optimization Gone Wrong
The vulnerability resides in Turbofan, V8's optimizing Just In Time compiler. Turbofan is responsible for compiling frequently executed ("hot") JavaScript functions into highly optimized machine code. It achieves this through speculative optimization: profiling runtime behavior, making assumptions about variable types, and stripping away expensive type check guards in the generated code. When those speculative type assumptions hold, execution is fast. When they are violated, the engine is supposed to trigger deoptimization, falling back to the safe interpreter path.
CVE-2026-6307 is a type confusion bug (CWE-843) that arises when Turbofan's speculative type assumptions are violated at runtime but the compiler fails to trigger the expected deoptimization. The generated machine code then operates on an object using the wrong type layout. Because the memory layout of different object types differs in size, field offsets, and semantics, this mismatch corrupts memory in a potentially controlled way, giving an attacker a primitive for arbitrary code execution.
Historical Turbofan type confusion bugs such as CVE-2025-2135 and CVE-2020-16009 share the same fundamental root cause pattern: incorrect type inference or map tracking logic that fails to install or honor proper deoptimization guards.
Attack Flow
The exploitation path is straightforward from the victim's perspective:
- An attacker crafts an HTML page containing JavaScript designed to trigger the faulty type inference path in Turbofan.
- A user visits the page (or is redirected to it via advertising, phishing, or a compromised legitimate site).
- The V8 engine profiles the attacker's JavaScript and eventually compiles it through Turbofan's optimizing pipeline.
- The type confusion manifests during JIT compilation. The resulting optimized code mishandles object types, and the attacker gains a controlled memory corruption primitive.
- The attacker leverages this primitive to execute arbitrary code within Chrome's renderer sandbox.
No special user privileges or additional interaction beyond visiting the page are required. Execution is constrained to the renderer sandbox, which limits direct host level compromise but still exposes data within the browser context: cookies, session tokens, rendered page content, and potentially credentials entered on other tabs sharing the same renderer process. If chained with a separate sandbox escape vulnerability, full system compromise becomes possible.
Discovery Timeline
| Milestone | Date |
|---|---|
| Reported by Project WhatForLunch | March 29, 2026 |
| Stable channel fix released | April 15, 2026 |
| NVD publication | April 15, 2026 |
The 17 day turnaround from report to stable fix reflects the critical nature of the vulnerability and the efficiency of Google's response process.
Patch Information
Google addressed CVE-2026-6307 through a Stable Channel update for desktop released on April 15, 2026. The fix shipped in Chrome version 147.0.7727.101 for Linux and 147.0.7727.101/102 for Windows and Mac. This update landed roughly one week after the initial Chrome 147 stable release (147.0.7727.49/.50), which went out on April 7, 2026.
The precise code level changes are not yet publicly available. The associated Chromium bug tracker entry (issue 497404188) is currently access restricted, which is standard practice for Chrome security bugs. Google typically keeps issue details under embargo until a sufficient percentage of users have received the patched version.
Based on historical patterns with similar Turbofan type confusion fixes (such as CVE-2025-2135 and CVE-2020-16009), the patch likely corrects faulty type inference or map tracking logic in Turbofan to ensure proper deoptimization when the compiler's type assumptions are invalidated. Past fixes in this area have involved adding or correcting CheckMaps guards, fixing InferMapsUnsafe() traversal logic, or installing proper CodeDependency hooks so that JIT compiled code is deoptimized when object maps change unexpectedly.
Fixed Versions by Platform
| Platform | Fixed Version |
|---|---|
| Windows | 147.0.7727.101 or 147.0.7727.102 |
| Mac | 147.0.7727.101 or 147.0.7727.102 |
| Linux | 147.0.7727.101 |
| Android | 147.0.7727.101 (rolling out via Google Play) |
Because the stable channel update rolls out over days to weeks, administrators should not rely on automatic updates alone. Manual verification of version compliance across the fleet is recommended.
CVE-2026-6307 also affects all downstream Chromium based browsers, including Microsoft Edge, Brave, and Opera. Those products will need to ingest the upstream Chromium fix and release their own corresponding updates. Security teams should track those downstream advisories independently.
Affected Systems and Versions
The vulnerability affects all Google Chrome versions prior to 147.0.7727.101 across all desktop platforms (Windows, Mac, Linux) and Android. Specifically:
- Windows and Mac: versions prior to 147.0.7727.101/102
- Linux: versions prior to 147.0.7727.101
- Android: versions prior to 147.0.7727.101
All Chromium based browsers that incorporate the affected V8 engine version are also vulnerable until they ship their own updates incorporating the upstream fix.
Vendor Security History
Google maintains a mature and well resourced vulnerability disclosure program for Chrome. The vendor credits external researchers for their findings; in this case, the vulnerability was reported by Project WhatForLunch on March 29, 2026. Google's practice of restricting bug details until a majority of users are updated is a deliberate measure to prevent adversaries from reverse engineering patches before the ecosystem is secure.
Type confusion in Turbofan is a recurring vulnerability class in Chrome's history. Notable prior instances include CVE-2025-2135 and CVE-2020-16009, both of which involved similar root cause patterns in V8's JIT compilation pipeline. More recently, Google confirmed active exploitation of CVE-2026-5281, another Chrome vulnerability, underscoring the ongoing adversary interest in browser level attack surfaces.
