Introduction
A use after free in Chrome's Viz compositor, the single process responsible for combining frames from every renderer into the final display output, can let an attacker who already controls a renderer process break out of the sandbox entirely. With Chrome commanding 66.7 percent of the global browser market as of March 2026, the exposure surface for CVE-2026-6309 spans the majority of enterprise endpoints and consumer devices worldwide.
Google shipped a fix on April 15, 2026 in Chrome 147.0.7727.101/102, bundled alongside 30 other security fixes. The vulnerability carries a CVSS 3.1 base score of 8.3 (HIGH) and the bug tracker entry remains locked, meaning exploit details are not yet public but patch diffing is likely already underway.
Technical Information
Root Cause: Use After Free in the Viz Compositor
CVE-2026-6309 is a use after free (CWE-416) in Chrome's Viz component. Viz is the client library and service implementation for compositing and GPU presentation within Chromium. The architecture uses multiple CPU processes for performance and security isolation, but there is exactly one Viz process for all of Chromium. This single Viz process aggregates compositing from multiple render processes and the browser process, then rasters and draws using the GPU.
The key architectural detail here is that Viz operates at a higher privilege level than individual renderer processes. It runs in the browser process context and has access to cross origin visual data. Separating Viz into its own process is designed to provide stability and security isolation from GPU hardware, but it also means that a memory corruption bug in Viz can bridge the gap between the sandboxed renderer and the more privileged browser process.
The underlying flaw is an object lifetime management error: a memory region is freed while a pointer to it remains active. When the dangling pointer is subsequently dereferenced, the attacker can influence what data occupies that memory region, potentially gaining control of execution flow within the Viz process.
Attack Flow
The exploitation of CVE-2026-6309 follows a two stage attack path:
-
Renderer compromise: The attacker first needs to gain code execution within a Chrome renderer process. This is a prerequisite, not part of CVE-2026-6309 itself. Renderer compromises can be achieved through separate vulnerabilities such as type confusions in V8 or Turbofan, heap overflows in PDFium, or other memory corruption bugs. Notably, the same April 15 release fixes several such vulnerabilities (CVE-2026-6305 in PDFium, CVE-2026-6307 in Turbofan, CVE-2026-6308 in Media), any of which could theoretically serve as the first link in a chain.
-
Sandbox escape via Viz: With a foothold in the renderer, the attacker delivers a specially crafted HTML page that triggers the use after free condition in the Viz component. Because Viz aggregates compositor frames from all renderers and runs with browser process level privileges, successfully exploiting this bug allows the attacker to escape the renderer sandbox. The CVSS vector (AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H) explicitly reflects this scope change from renderer to browser process, along with high impact to confidentiality, integrity, and availability.
The attack complexity is rated High because it requires the prior renderer compromise, and user interaction is required (the victim must navigate to or be served the crafted HTML page). However, the scope change and full CIA impact make this a serious escalation primitive.
Adjacent Vulnerabilities in the Same Release
The April 15, 2026 update includes 31 security fixes. The following High severity issues were resolved alongside CVE-2026-6309:
| CVE Identifier | Severity | Component | Description |
|---|---|---|---|
| CVE-2026-6305 | High | PDFium | Heap buffer overflow |
| CVE-2026-6307 | High | Turbofan | Type Confusion |
| CVE-2026-6308 | High | Media | Out of bounds read |
| CVE-2026-6309 | High | Viz | Use after free |
| CVE-2026-6310 | High | Dawn | Use after free |
The presence of multiple High severity vulnerabilities across different components reinforces the necessity of deploying the complete update. Several of these could serve as the initial renderer compromise that CVE-2026-6309 requires as a precondition.
Patch Information
Google addressed CVE-2026-6309 in the Chrome Stable channel update released on April 15, 2026. The patched versions are:
| Operating System | Minimum Secure Version |
|---|---|
| Windows | 147.0.7727.101 or 147.0.7727.102 |
| macOS | 147.0.7727.101 or 147.0.7727.102 |
| Linux | 147.0.7727.101 |
| Android | 147.0.7727.101 |
This was a mid cycle security patch within the Chrome 147 release train, not to be confused with the initial Chrome 147 launch (147.0.7727.55/56, released April 7, 2026), which resolved 60 different vulnerabilities.
The fix is tracked under Chromium issue 497846428, which remains access restricted. This is consistent with Google's standard practice of keeping security bug details confidential until users have had adequate time to update. The specific commit has not yet been publicly linked, so the exact code level diff is not currently available for inspection.
At a high level, the patch corrects the object lifetime management flaw in the Viz compositor that allowed a freed memory region to be referenced by a still active pointer. In typical Chromium use after free remediations within display and compositor subsystems, the fix involves ensuring that surface references and frame sink resources are properly invalidated and that any pointers into compositor data structures are nullified before the underlying memory is released. This pattern is well established across the many compositor UAF fixes Chrome has shipped over the years (for example, CVE-2024-4671, also a use after free in the Visuals/Viz layer).
To verify you are protected, navigate to chrome://settings/help and confirm your version is 147.0.7727.101 or later.
Since Chromium is the upstream for other browsers such as Microsoft Edge, Brave, and Opera, those vendors are expected to incorporate the same fix in their own downstream releases. Security teams should track those downstream advisories independently.
For enterprise environments, administrators can manage Chrome browser updates through Chrome Enterprise Core, choosing when to roll out updates by placing users on specific release channels.
Affected Systems and Versions
All versions of Google Chrome prior to 147.0.7727.101 are affected. Specifically:
- Windows and macOS: All Chrome versions before 147.0.7727.101/102
- Linux: All Chrome versions before 147.0.7727.101
- Android: All Chrome versions before 147.0.7727.101
The initial Chrome 147 release (147.0.7727.55/56, April 7, 2026) is also vulnerable, as CVE-2026-6309 was not addressed until the mid cycle patch on April 15.
Chromium based browsers (Microsoft Edge, Brave, Opera, and others) that have not yet incorporated the upstream fix from Chromium issue 497846428 should also be considered potentially affected.
Vendor Security History
Google maintains an active Vulnerability Reward Program that compensates external security researchers for responsibly disclosed bugs. The April 15, 2026 release notes illustrate this engagement with substantial payouts, including a $90,000 reward for a Critical heap buffer overflow in ANGLE and a $10,000 reward for a Critical use after free in Proxy.
CVE-2026-6309 itself was reported internally by Google, which may indicate discovery through internal fuzzing infrastructure or code review. The Viz component has been the subject of prior security fixes, including CVE-2024-4671, which was also a use after free in the Visuals/Viz layer. The recurrence of use after free vulnerabilities in compositor subsystems suggests that the complexity of object lifetime management in GPU compositing code remains a persistent challenge, even with Chrome's substantial investment in memory safety tooling.
References
- CVE-2026-6309 Detail, NVD
- Stable Channel Update for Desktop, April 15 2026
- Chromium Issue 497846428
- Chromium Viz Component README
- RenderingNG Architecture, Chrome for Developers
- Update Google Chrome, Computer
- Manage Chrome Updates, Chrome Enterprise Core
- Chrome Browser Release Channels
- Google Vulnerability Reward Program Rules
