Introduction
A critical use after free vulnerability in Google Chrome's XR component on Android allows remote attackers to perform out of bounds memory reads simply by getting a user to visit a crafted HTML page. Given Chrome's dominant position with roughly 69 to 79 percent of the global browser market, the potential attack surface for CVE-2026-6358 is substantial, and organizations with unmanaged Android fleets face particular exposure.
Technical Information
CVE-2026-6358 is classified under CWE-416 (Use After Free). The vulnerability resides in the XR component of Google Chrome on Android. XR refers to the subsystem responsible for handling WebXR and related immersive experience APIs within the browser.
A use after free condition occurs when a program continues to reference a memory location after that memory has been deallocated. In this case, the freed memory within the XR component can be read out of bounds by a remote attacker. The National Vulnerability Database reports a CVSS 3.1 base score of 8.8 (High), assigned by CISA ADP. The full vector string is AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, which breaks down as follows:
- Network accessible: No physical or local access required
- Low attack complexity: No special conditions or race conditions needed
- No privileges required: The attacker does not need an account or elevated access
- User interaction required: The victim must navigate to the malicious page
- Scope unchanged: The vulnerability affects only the vulnerable component
- High impact across confidentiality, integrity, and availability
Chromium's own internal severity assessment rated this vulnerability as Critical.
Attack Flow
Based on available information, exploitation proceeds as follows:
- The attacker crafts a malicious HTML page designed to trigger the use after free condition in Chrome's XR subsystem.
- The victim is lured to visit the page, for example through phishing, a malicious advertisement, or a compromised website.
- When Chrome's XR component processes the crafted content, it accesses memory that has already been freed.
- This results in an out of bounds memory read, which could allow the attacker to leak sensitive data from the browser's memory space.
- Given the CVSS impact ratings of High across all three impact categories, further exploitation beyond a simple memory read (such as achieving code execution) may be possible, though specific exploitation chains have not been publicly documented.
The Chromium issue tracker entry (issue 497724498) remains access restricted, and no proof of concept code or detailed exploitation mechanics have been published. Security teams should rely on version based detection rather than network signatures to identify vulnerable installations.
Affected Systems and Versions
The vulnerability specifically affects Google Chrome on Android prior to version 147.0.7727.101. However, the simultaneous release of patches across platforms means the following versions should be considered the minimum safe versions:
| Operating System | Minimum Safe Chrome Version |
|---|---|
| Android | 147.0.7727.101 |
| Windows | 147.0.7727.101 / 147.0.7727.102 |
| macOS | 147.0.7727.101 / 147.0.7727.102 |
| Linux | 147.0.7727.101 |
Any Chrome installation on Android running a version older than 147.0.7727.101 is vulnerable to this specific CVE. Organizations should audit their managed device inventories and enforce the minimum version through MDM or enterprise browser management platforms.
Vendor Security History
Google maintains a mature security program around Chrome and the broader Chromium project. The Chrome Vulnerability Reward Program actively incentivizes responsible disclosure, and Google regularly publishes security updates with transparency through its Chrome Releases blog and Google Security Blog.
That said, Chrome remains a frequent target. In March 2026, Google issued an emergency update to address two zero day vulnerabilities that were confirmed to be under active exploitation. This pattern of recurring critical and zero day vulnerabilities reflects the reality of maintaining the world's most widely used browser rather than a deficiency in Google's security practices. The restricted status of the Chromium bug tracker entry for CVE-2026-6358 is consistent with Google's standard practice of limiting vulnerability details until a majority of users have updated.
References
- CVE-2026-6358 Detail, National Vulnerability Database
- CVE Record: CVE-2026-6358
- Chrome Releases: Stable Channel Update for Desktop, April 15 2026
- Chromium Issue Tracker: Issue 497724498
- Chrome for Android Update, April 15 2026
- HKCERT: Google Chrome Multiple Vulnerabilities
- The Hacker Wire: CVE-2026-6358
- Forbes: Google Zero Day Alert for 3.5 Billion Chrome Users
- Chrome Vulnerability Reward Program FAQ
