Introduction
A use after free vulnerability in Google Chrome's Video component on Windows, patched on April 15, 2026, gives attackers who have already compromised the renderer process the ability to perform out of bounds memory access through a crafted HTML page. With Chrome commanding nearly 70 percent of the desktop browser market, the sheer number of potentially affected Windows endpoints makes this a noteworthy patch cycle for enterprise security teams, even in the absence of confirmed in the wild exploitation.
Technical Information
CVE-2026-6359 is a use after free (CWE-416) vulnerability in the Video subsystem of Google Chrome. At its core, the flaw means that Chrome's video handling code was referencing a memory region that had already been deallocated. This creates a dangling pointer condition: the pointer still exists and can be dereferenced, but the memory it points to may have been reallocated for a different purpose or may contain attacker controlled data.
CISA-ADP assessed the vulnerability with a CVSS 3.1 base score of 8.8 (HIGH), using the vector AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. This scoring reflects network accessibility, low attack complexity, no privilege requirements beyond user interaction, and high impact across confidentiality, integrity, and availability.
Attack Flow
The exploitation of CVE-2026-6359 follows a multi stage process:
-
Renderer compromise (precondition): The attacker must first gain code execution within Chrome's renderer process. This could be achieved through a separate vulnerability, such as a V8 engine bug or another memory corruption flaw in a different component. The renderer process is the sandboxed environment where web content is parsed and rendered.
-
Triggering the use after free: With control of the renderer process, the attacker delivers a specially crafted HTML page that exercises the vulnerable code path in the Video component. This triggers the use after free condition, where the code attempts to access a video related object that has already been freed.
-
Out of bounds memory access: The dangling pointer dereference allows the attacker to read or write memory outside the intended bounds. Depending on the state of the heap at the time of exploitation, this could enable the attacker to leak sensitive data, corrupt adjacent memory structures, or achieve further code execution.
The requirement for a prior renderer compromise is significant. This means CVE-2026-6359 is not a standalone initial access vector. Instead, it would most likely serve as a second stage in an exploit chain, potentially enabling an attacker to escalate from renderer process compromise toward a sandbox escape or other elevated access. This chaining pattern is consistent with how advanced threat actors have historically targeted Chrome: combining a renderer bug with a sandbox escape to achieve full system compromise.
Object Lifecycle and Root Cause
The fix for this vulnerability would involve correcting the object lifecycle management within the Video subsystem. Specifically, the patch would ensure that references to freed video related objects are properly invalidated, or that the memory is not released prematurely while still in use. The underlying Chromium bug is tracked under Chromium Issue 490251701, but as is standard practice for Chromium security bugs, access to this issue is currently restricted. Google typically keeps security bug details locked down for a minimum of 14 weeks or until a significant majority of Chrome users have received the update.
Patch Information
Google addressed CVE-2026-6359 as part of a Chrome Stable Channel update released on April 15, 2026. The update was published on the official Chrome Releases blog and confirms the following fixed versions:
| Platform | Fixed Version |
|---|---|
| Windows | 147.0.7727.101 or 147.0.7727.102 |
| macOS | 147.0.7727.101 or 147.0.7727.102 |
| Linux | 147.0.7727.101 |
This patch came as a point release on top of the Chrome 147 branch, whose initial release (147.0.7727.55) shipped around April 10, 2026 with its own batch of security fixes. The subsequent .101 update specifically targeted newly reported or newly resolved security issues like CVE-2026-6359, following Google's standard cadence of rolling out targeted security patches between major milestone releases. The broader update included 31 security fixes in total.
The underlying bug is tracked as Chromium Issue 490251701, which remains access restricted per Google's standard security disclosure policy.
Because Chrome auto updates in the background, most users will receive this fix without manual intervention. To confirm the patch is applied, users can navigate to chrome://settings/help (or Menu, then Help, then About Google Chrome) and verify the version is 147.0.7727.101 or later. Users of other Chromium based browsers (Microsoft Edge, Brave, Opera, Vivaldi) should watch for corresponding downstream updates from those vendors.
Affected Systems and Versions
The vulnerability explicitly affects Google Chrome on Windows in versions prior to 147.0.7727.101. While the CVE description specifies Windows as the affected platform, Google released updates across all major platforms simultaneously:
- Windows: All versions of Google Chrome prior to 147.0.7727.101
- macOS: Updated to 147.0.7727.101/.102 as part of the same release cycle
- Linux: Updated to 147.0.7727.101 as part of the same release cycle
- Android: Received the same security fixes as the desktop release
Organizations running any version of Chrome on Windows below 147.0.7727.101 should treat those endpoints as vulnerable. Chromium based browsers that share the affected codebase (Microsoft Edge, Brave, Opera, Vivaldi) may also be affected and should be monitored for vendor specific advisories.
Vendor Security History
Google has a well established security program for Chrome, including a Vulnerability Reward Program that incentivizes responsible disclosure from external researchers. However, the 2026 threat landscape for Chrome has been notably active. By April 2026, Google had already released emergency updates to address four separate zero day vulnerabilities that were confirmed exploited in attacks:
- An iterator invalidation bug (February 2026)
- An out of bounds write in the Skia 2D graphics library
- An inappropriate implementation vulnerability in the V8 JavaScript engine
- A use after free weakness in Dawn (the WebGPU implementation)
This frequency of zero day exploitation underscores that advanced threat actors are actively investing in Chrome vulnerability research. While CVE-2026-6359 has not been linked to active exploitation, the pattern of chained exploits targeting Chrome's renderer and sandbox boundaries makes timely patching a practical necessity rather than a theoretical best practice.
References
- CVE-2026-6359 Detail, NVD
- CVE Record: CVE-2026-6359
- Chrome Releases: Stable Channel Update for Desktop, April 15, 2026
- Chromium Issue 490251701
- Chrome for Android Update, April 15, 2026
- Update Google Chrome, Google Support
- Desktop Browser Market Share Worldwide, StatCounter
- Browser Market Share Worldwide, StatCounter
- Chrome Vulnerability Reward Program Rules
- Google fixes fourth Chrome zero day exploited in attacks in 2026, BleepingComputer
- CISA Adds Two Known Exploited Vulnerabilities to Catalog, April 14, 2026
- CISA Known Exploited Vulnerabilities Catalog
