Google disclosed two high-severity use-after-free vulnerabilities in Chrome, CVE-2026-6302 and CVE-2026-6304, affecting versions prior to 147.0.7727.101. The flaws reside in the browser's Video and Graphite components and can be triggered with a crafted HTML page. CVE-2026-6302 could allow a remote attacker to execute arbitrary code inside the sandbox, while CVE-2026-6304 could let an attacker who has already compromised the renderer process potentially escape Chrome's sandbox.
Both issues are classified as CWE-416 use-after-free bugs and were rated High severity by Chromium. The published CVSS v3.1 vectors indicate significant potential impact to confidentiality, integrity, and availability, with CVE-2026-6302 scored as AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H and CVE-2026-6304 as AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H. Organizations running Chrome should prioritize upgrading to 147.0.7727.101 or later to mitigate the risk from malicious web content targeting these memory-safety flaws.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
3 events from the most recent confirmed update back to the earliest known activity.
Later on April 15, 2026, the CVE records for both Chrome vulnerabilities were updated with CVSS v3.1 vectors. The updates quantified the potential confidentiality, integrity, and availability impact of the two high-severity flaws.
Google disclosed CVE-2026-6304 on April 15, 2026 as a high-severity use-after-free vulnerability in Chrome's Graphite component affecting versions prior to 147.0.7727.101. The issue could allow an attacker, after compromising the renderer process, to potentially escape Chrome's sandbox using a crafted HTML page.
Google disclosed CVE-2026-6302 on April 15, 2026 as a high-severity use-after-free vulnerability in Chrome's Video component affecting versions prior to 147.0.7727.101. The flaw could allow a remote attacker to execute arbitrary code inside the sandbox via a crafted HTML page.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
3 references tracked. Mallory keeps watching after this page renders.
cvefeed.io
Open sourcecvefeed.io
Open sourcecvefeed.io
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.