Introduction
A use after free vulnerability in Google Chrome's FileSystem component gives remote attackers a path to object corruption and potential code execution through nothing more than a crafted web page. With Chrome installed on roughly 3.62 billion devices and holding over 75% of the desktop browser market, CVE-2026-6360 represents a significant exposure surface that security teams should address promptly through the patch Google released on April 15, 2026.
Technical Information
The root cause of CVE-2026-6360 is a use after free condition (CWE-416) in Chrome's FileSystem component. This is the internal browser subsystem responsible for handling the File System Access API and legacy file system operations. A use after free occurs when a program continues to reference a pointer after the memory it points to has been freed. If an attacker can successfully reallocate that freed memory with controlled data, they can corrupt valid objects or manipulate heap metadata to hijack execution flow.
Use after free bugs in the FileSystem component are particularly concerning because this subsystem manages object lifetimes tied to asynchronous I/O callbacks. If an object is freed while a pending callback still holds a dangling reference, an attacker can spray the heap with controlled data and hijack execution when the stale pointer is dereferenced. The NVD description confirms the flaw allowed "a remote attacker to potentially exploit object corruption via a crafted HTML page."
CVSS Breakdown
CISA ADP assigned a CVSS 3.1 base score of 8.8 with the vector AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. The individual metrics tell a clear story:
| Metric | Value | Implication |
|---|---|---|
| Attack Vector | Network (N) | Exploitable remotely over the internet |
| Attack Complexity | Low (L) | No advanced system conditions required |
| Privileges Required | None (N) | Attacker needs no prior authentication |
| User Interaction | Required (R) | Victim must visit a crafted HTML page |
| Confidentiality | High (H) | Full compromise possible |
| Integrity | High (H) | Full compromise possible |
| Availability | High (H) | Full compromise possible |
Attack Flow
The exploitation sequence for this vulnerability would proceed as follows:
- An attacker crafts a malicious HTML page designed to trigger the use after free condition in Chrome's FileSystem component.
- The victim is lured to visit this page through social engineering, a malicious advertisement, or a compromised legitimate website.
- When the page loads, it exercises the FileSystem API in a way that causes an object to be freed while a reference to it is still held.
- The attacker's page then performs heap spraying to place controlled data in the freed memory region.
- When Chrome subsequently dereferences the stale pointer, the attacker's data is interpreted as a valid object, enabling object corruption.
- Depending on the attacker's payload, this can lead to arbitrary code execution within the Chrome renderer sandbox, a denial of service condition, or further exploitation to escape the sandbox.
Because the exploit requires only that a user visit a web page and needs no elevated privileges or installed extensions, it presents a meaningful drive by download risk for enterprise environments. The underlying Chromium bug tracker issue (497880137) remains access restricted, which is standard Chrome practice to prevent premature disclosure of exploitation details.
Patch Information
Google addressed CVE-2026-6360 in a Chrome Stable channel update released on April 15, 2026, bumping desktop versions to 147.0.7727.101/102 for Windows and macOS and 147.0.7727.101 for Linux. This update was a point release on top of the initial Chrome 147 baseline (147.0.7727.55/56, released April 7), meaning the fix was back ported into the existing stable branch rather than waiting for the next major milestone.
The Chrome Releases blog post lists the fix in its security table as:
[TBD][497880137] High CVE-2026-6360: Use after free in FileSystem. Reported by asjidkalam on 2026-03-31
The bounty is listed as "TBD," indicating Google acknowledged the external report but had not yet finalized the reward at the time of publication. This CVE was one of 31 security fixes shipped in this single stable update, alongside several other Critical and High severity issues spanning ANGLE, Skia, V8/Turbofan, PDFium, Dawn, and other components.
| Operating System | Vulnerable Versions | Fixed Version |
|---|---|---|
| Linux | Prior to 147.0.7727.101 | 147.0.7727.101 or later |
| macOS | Prior to 147.0.7727.101/102 | 147.0.7727.101/102 or later |
| Windows | Prior to 147.0.7727.101/102 | 147.0.7727.101/102 or later |
Chrome's built in auto update mechanism handles this update, but it requires a browser restart to activate the patched binary. Network administrators should verify that auto update is functioning across their fleet or manually push updates via enterprise management tools. The Canadian Centre for Cyber Security and the Hong Kong CERT both strongly encourage users and administrators to apply these updates immediately.
The Chromium bug tracker issue remains access restricted, so no source level diff or commit detail is publicly available yet. The full changelog between the previous baseline and the patched version can be browsed at the Chromium source log comparing 147.0.7727.56..147.0.7727.102, but the specific FileSystem fix commit is not individually identifiable from publicly visible data at this time.
Affected Systems and Versions
The vulnerability affects all Google Chrome desktop installations across Windows, macOS, and Linux platforms running versions prior to the patched release:
- Windows: All versions prior to 147.0.7727.101/102
- macOS: All versions prior to 147.0.7727.101/102
- Linux: All versions prior to 147.0.7727.101
This includes the initial Chrome 147 baseline release (147.0.7727.55/56, released April 7, 2026) and all earlier versions. Any Chromium based browser that incorporates the affected FileSystem component code may also be vulnerable, though vendor specific advisories should be consulted for confirmation.
Vendor Security History
Google maintains a robust security infrastructure for Chrome, including a Vulnerability Reward Program that provides monetary awards for responsibly disclosed bugs. The "TBD" bounty status for CVE-2026-6360 indicates the reward was still being evaluated at the time of the patch release.
To combat the exploitation of zero day vulnerabilities, Google shifted to a biweekly release cadence for Chrome, which successfully reduced their average patch gap to approximately 15 days. This rapid deployment capability was evident in the swift turnaround for CVE-2026-6360: the bug was reported on March 31, 2026, and the patch shipped on April 15, 2026.
The use after free vulnerability class has been a recurring theme in Chrome security issues. Earlier in April 2026, Google patched CVE-2026-5281, another use after free flaw that was confirmed to have an active exploit in the wild. That vulnerability targeted a different component but shared the same CWE-416 classification, underscoring a persistent pattern of memory safety challenges across Chrome's codebase. Organizations should monitor the CISA Known Exploited Vulnerabilities catalog for any status changes regarding CVE-2026-6360, given the demonstrated attacker interest in this vulnerability class.
References
- CVE-2026-6360 Detail, NVD
- Chrome Releases: Stable Channel Update for Desktop (April 15, 2026)
- Chromium Issue 497880137
- Google Chrome Security Advisory AV26-358, Canadian Centre for Cyber Security
- Google Chrome Multiple Vulnerabilities, Hong Kong CERT
- CWE-416: Use After Free
- Chrome Vulnerability Reward Program Rules
- An Update on Chrome Security Updates, Google Security Blog
- Google Fixes Chrome Zero Day CVE-2026-5281, Help Net Security
- CISA Adds Two Known Exploited Vulnerabilities to Catalog (April 14, 2026)
