Introduction
A type confusion flaw in Chrome's V8 JavaScript engine, now tracked as CVE-2026-6363, allows a remote attacker to trigger out of bounds memory access simply by luring a user to a crafted web page. With Chrome commanding somewhere between 65 and 79 percent of the global desktop browser market, even a "Medium" severity rating from the Chromium team translates into an enormous number of potentially affected endpoints, and CISA ADP's independent assessment came in at a CVSS 8.8 (High).
Technical Information
Root Cause: CWE-843 Type Confusion in V8
CVE-2026-6363 falls under CWE-843, which describes the access of a resource using an incompatible type. In practical terms, this means V8 allocates or initializes an object under one type assumption, then later accesses that same memory region as though it were a different, incompatible type. Because V8 is implemented in C++, a language without memory safety guarantees, this mismatch can cause the engine to read or write memory outside the intended bounds of the original buffer.
Type confusion vulnerabilities in V8 frequently originate in the optimizing compiler pipeline. V8 uses feedback driven type specialization: as JavaScript code runs, the interpreter collects type profiles for variables and object properties. The optimizing compilers (TurboFan and Maglev) then use this feedback to emit highly specialized machine code that assumes specific object shapes, known internally as "maps." If an attacker can craft JavaScript that causes the engine to lock in a speculative type assumption during compilation, and then supply an object at runtime that violates that assumption after the optimized code path has been emitted, the compiled code will operate on memory using the wrong layout. Fields that the compiled code expects at certain offsets may overlap with entirely different data, or may extend past the actual allocation boundary.
The consequence is out of bounds memory access. Depending on how the confused types differ in size and structure, an attacker may be able to:
- Read memory contents beyond the intended object boundary (information disclosure).
- Write attacker controlled values into adjacent memory (memory corruption).
- Chain these primitives to achieve further control, potentially including arbitrary code execution within the renderer sandbox.
Attack Flow
The attack vector for CVE-2026-6363 is network based and requires user interaction. The CVSS 3.1 vector string is AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, which breaks down as follows:
- Delivery: The attacker hosts a maliciously crafted HTML page containing JavaScript designed to trigger the type confusion condition in V8.
- User interaction: The attacker convinces a target user to navigate to the malicious page, for example through phishing, social engineering, or embedding the page in an iframe on a compromised site.
- Trigger: When Chrome's V8 engine processes the JavaScript on the page, the crafted input causes the optimizing compiler to emit code based on an incorrect type assumption. Subsequent execution of that optimized code accesses memory using the wrong type layout.
- Impact: The out of bounds memory access occurs within the Chrome renderer process. The CVSS assessment rates the impact as High across confidentiality, integrity, and availability, meaning the attacker can potentially read sensitive data, corrupt memory, and crash the process.
No elevated privileges are required on the part of the attacker, and the attack complexity is rated Low, meaning no special conditions or race windows need to be won.
Severity Divergence
It is worth noting the gap between the CISA ADP assessment (CVSS 8.8, High) and Google's internal Chromium severity rating (Medium). Google's severity guidelines for Chromium consider factors like whether the bug is reachable from a sandboxed renderer process and whether a full exploit chain (including a sandbox escape) has been demonstrated. A type confusion that provides an out of bounds read or write within the renderer, without a demonstrated sandbox escape, would typically land in the Medium category under Chromium's guidelines. The CVSS score, by contrast, evaluates the theoretical worst case impact of the vulnerability in isolation.
Patch Information
Google addressed CVE-2026-6363 through a Stable Channel update for Chrome Desktop, released on April 15, 2026. The fix is shipped in Chrome 147.0.7727.101 for Linux and 147.0.7727.101/.102 for Windows and Mac.
The specific engineering details of the fix, such as the exact commit, changed files, and code diff, are not yet publicly available. The associated Chromium bug tracker entry (issues.chromium.org/issues/495751197) is currently access restricted, which is standard Chromium practice for security sensitive bugs. The Chromium project typically keeps these issues locked until a significant majority of users have had a chance to apply the update, after which the bug and the corresponding fix commit are derestricted for public review.
Based on the nature of the vulnerability, the patch almost certainly tightens type checking logic within V8's internal pipeline, likely in the optimizing compiler (TurboFan or Maglev) or in the way feedback driven type specializations are applied. Patches for type confusion issues in V8 typically add explicit type guards or map checks at critical junctures to ensure the runtime type matches what the compiled code expects.
To apply this fix, users need to update their Chrome browser to version 147.0.7727.101 or later. Chrome's built in auto update mechanism will roll this out automatically, but administrators can accelerate deployment by navigating to chrome://settings/help to trigger a manual update check. Enterprise administrators can use the Google Admin console to enforce updates across enrolled browsers.
| Operating System | Fixed Version |
|---|---|
| Linux | 147.0.7727.101 |
| Windows | 147.0.7727.101 or 147.0.7727.102 |
| Mac | 147.0.7727.101 or 147.0.7727.102 |
Affected Systems and Versions
All versions of Google Chrome prior to 147.0.7727.101 on Linux, Windows, and Mac are affected. Specifically:
- Linux: All Chrome versions prior to 147.0.7727.101
- Windows: All Chrome versions prior to 147.0.7727.101 (or 147.0.7727.102)
- Mac: All Chrome versions prior to 147.0.7727.101 (or 147.0.7727.102)
Any Chromium based browser that incorporates the affected V8 engine version may also be vulnerable, though vendor specific advisories should be consulted for those products.
Vendor Security History
Google maintains one of the most active vulnerability management programs in the industry. The Chrome Vulnerability Reward Program offers payouts up to 250,000 USD for critical remote code execution bugs, incentivizing a large community of external researchers to find and responsibly disclose issues. Type confusion vulnerabilities in V8 are a recurring class of finding; the V8 engine's aggressive speculative optimization strategy inherently creates a complex attack surface around type assumptions. Google has responded to this pattern by investing in compiler hardening, adopting the two week release cycle to ship fixes faster, and maintaining strict bug access restrictions until patches reach broad deployment.
References
- CVE-2026-6363 Detail, NVD
- CVE-2026-6363, CVE.org
- Chrome Releases: Stable Channel Update for Desktop, April 15, 2026
- Chromium Bug Tracker: Issue 495751197
- CWE-843: Access of Resource Using Incompatible Type
- Chromium Severity Guidelines for Security Issues
- HKCERT: Google Chrome Multiple Vulnerabilities
- Canadian Centre for Cyber Security: Google Chrome Security Advisory AV26-358
- SecurityWeek: Google Now Offering Up to $250,000 for Chrome Vulnerabilities
- BleepingComputer: Google Chrome Shifts to Two Week Release Cycle
