Introduction
A Use After Free vulnerability in Google Chrome's Permissions component on Android gives remote attackers a path to arbitrary code execution, requiring only that a user visit a malicious page and perform certain UI interactions. With Chrome commanding nearly 67 percent of the global browser market and Android holding a similar share of mobile operating systems, the potential exposure from CVE-2026-6315 spans billions of devices worldwide.
Technical Information
CVE-2026-6315 is classified under CWE-416 (Use After Free). This class of memory corruption occurs when an application references a pointer after the memory it points to has been deallocated. In this case, the vulnerable code resides in Chrome's Permissions component, which manages permission prompts and state for features like geolocation, camera, microphone, and notifications.
When a Use After Free condition is triggered in a browser context, the freed memory region can potentially be reclaimed by attacker controlled data through heap manipulation techniques such as heap spraying or precise allocation timing. If the application subsequently dereferences the stale pointer, it operates on attacker controlled memory, which can redirect execution flow and achieve arbitrary code execution.
Attack Flow
The exploitation of CVE-2026-6315 proceeds through the following stages:
- The attacker hosts a specially crafted HTML page designed to trigger the memory corruption in Chrome's Permissions subsystem.
- The victim navigates to the malicious page using Chrome on Android. Page load alone is not sufficient to trigger the vulnerability.
- The victim must perform specific UI gestures while interacting with the page. The exact nature of these gestures is not publicly documented; the Chromium issue tracker entry (issue 499247910) remains access restricted.
- The UI gestures trigger a sequence in the Permissions component where a memory object is freed but a reference to it is retained and subsequently accessed.
- The attacker leverages this dangling pointer access to execute arbitrary code within the context of the Chrome browser process.
CVSS Breakdown
The CVSS 3.1 base score of 8.8 reflects the following vector: Network attack vector, Low attack complexity, No privileges required, User Interaction required. Impact ratings are High across Confidentiality, Integrity, and Availability, consistent with arbitrary code execution capabilities.
The exact object in the Permissions subsystem that is freed prematurely and the specific code level diff are not publicly available because the Chromium bug tracker entry remains restricted. This is standard Chromium practice: as the release notes state, "access to bug details and links may be kept restricted until a majority of users are updated with a fix." Security teams should operate under the assumption that this vulnerability is highly exploitable given its High severity rating from both the Chromium security team and CISA ADP.
Patch Information
Google addressed CVE-2026-6315 in a Chrome Stable Channel update released on April 15, 2026. The fix landed in the following browser versions:
| Platform | Fixed Version |
|---|---|
| Windows / macOS | 147.0.7727.101 and 147.0.7727.102 |
| Linux | 147.0.7727.101 |
| Android | 147.0.7727.101 |
The vulnerability was discovered and reported internally by Google's own security team on April 3, 2026. Because it was an internal finding, no external bug bounty was awarded (marked [N/A] in the release notes). The specific entry in the Chrome Releases blog post reads:
[N/A][499247910] High CVE-2026-6315: Use after free in Permissions. Reported by Google on 2026-04-03
The High severity tag means the Chromium security team assessed this as a serious issue where exploitation could lead to code execution, though typically within the browser sandbox. CISA ADP concurred, assigning a CVSS 3.1 base score of 8.8.
This fix was part of a broader stable channel update that addressed 31 security vulnerabilities in total, ranging from critical heap buffer overflows in ANGLE and Skia to high severity use after free bugs across multiple components (Video, CSS, Dawn, Codecs, and more). The update bumped the stable channel from the initial Chrome 147.0.7727.55/56 release (which shipped approximately a week earlier on April 7 with 60 security fixes) to the 147.0.7727.101/102 patch level.
For Android devices, Google indicates the update will roll out via Google Play over the course of several days. Organizations managing mobile fleets should push the update through Mobile Device Management (MDM) solutions rather than waiting for the automatic rollout. The manual update steps for end users are: open the Google Play Store, tap the profile icon, tap "Manage apps and device," and install the pending Chrome update.
Users running any version of Chrome prior to 147.0.7727.101 on any platform remain vulnerable and should update immediately.
Affected Systems and Versions
The vulnerability affects the following configurations:
| Platform | Affected Versions | Fixed Version |
|---|---|---|
| Android | All Chrome versions prior to 147.0.7727.101 | 147.0.7727.101 |
| Windows / macOS | All Chrome versions prior to 147.0.7727.101 | 147.0.7727.101 / 147.0.7727.102 |
| Linux | All Chrome versions prior to 147.0.7727.101 | 147.0.7727.101 |
While the NVD description specifically calls out Android as the affected platform, the patch was applied across all desktop platforms as well, and the vulnerability exists in the shared Chromium Permissions component. The primary exploitation scenario described in the advisory targets Android.
Vendor Security History
Google maintains a strong security posture for Chrome, but the browser's complexity and massive attack surface mean memory corruption vulnerabilities are a recurring theme. Recent examples from 2026 alone illustrate the pattern:
| CVE | Component | Exploitation Status |
|---|---|---|
| CVE-2026-6315 | Permissions | No current evidence of active exploitation |
| CVE-2026-5281 | Dawn (WebGPU) | Actively exploited in the wild (April 2026) |
| CVE-2026-2441 | CSSFontFeatureValuesMap | Actively exploited in the wild (February 2026) |
Throughout 2025, Google fixed a total of eight zero day vulnerabilities that were exploited in attacks. The company operates a formal Vulnerability Reward Program and targets deploying patches for critical vulnerabilities to all Chrome users in under 30 days. CVE-2026-6315 was reported internally on April 3 and patched on April 15, a turnaround of 12 days, which is well within that target.
References
- CVE-2026-6315 Detail, NVD
- CVE Record: CVE-2026-6315
- Chrome Releases: Stable Channel Update for Desktop, April 15, 2026
- Chrome for Android Update, April 15, 2026
- Chromium Issue 499247910
- CISA Known Exploited Vulnerabilities Catalog
- Browser Market Share Worldwide, Statcounter
- Mobile Operating System Market Share Worldwide, Statcounter
- Update Google Chrome on Android
- Chromium Severity Guidelines for Security Issues
- Chrome Vulnerability Reward Program Rules
- Google fixes fourth Chrome zero day exploited in attacks in 2026, BleepingComputer
- Chrome Vulnerability CVE-2026-5281 Exploited in the Wild, eSecurity Planet
