High

Use-after-free RCE in Google Chrome Prerender

IdentifiersCVE-2026-6299CWE-416· Use After Free

CVE-2026-6299 is a critical use-after-free vulnerability in Google Chrome's Prerender component affecting versions prior to 147.0.7727.101. The flaw is a lifetime-management bug in the prerender cancellation path: when a prerendered new-tab WebContents is canceled, synchronous destruction of the associated PrerenderNewTabHandle/WebContents can occur while BrowsingDataRemoverImpl is iterating over a snapshot of live WebContents raw pointers. This leaves a dangling pointer that can later be dereferenced, creating a use-after-free condition. The vulnerable path can be triggered during prerender cancellation, including via BrowsingDataRemoverImpl::RemoveImpl, and the provided context specifically notes that a Clear-Site-Data HTTP header can trigger that removal flow. Because Chrome prerenders pages in a hidden background tab, attacker-controlled content may begin executing before the user explicitly clicks the destination. Successful exploitation allows a remote attacker to achieve arbitrary code execution via a crafted HTML page.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation can result in arbitrary code execution in the context of the target Chrome process through memory corruption in the Prerender subsystem. The CVSS context provided indicates high impact to confidentiality, integrity, and availability. Because prerendered content can execute in the background before explicit navigation, the flaw increases practical exploitability compared with bugs that require a full user click-through before attacker-controlled code runs. Depending on exploit reliability and post-exploitation chaining, this can provide a foothold for further compromise of the browser session and potentially broader system impact.

Mitigation

If you can’t patch tonight, do this now.

No vendor workaround is confirmed in the provided content. If immediate patching is not possible, reducing exposure to prerender-triggered navigation paths may lower risk, but the content does not provide an official mitigation. The only confirmed mitigation/remediation in the available information is to apply the patched browser version.

Remediation

Patch, then assume compromise.

Update Google Chrome to version 147.0.7727.101 or later; the fix shipped in Chrome 147.0.7727.101/.102 on April 15, 2026. Chromium-based browsers that incorporate the affected Prerender code should be updated to builds that include the upstream Chromium fix for bug 497053588. The patch changes the cancellation/destruction model by replacing the instance cancellation method with a static ownership-transferring cancellation routine and deferring destruction with DeleteSoon() to avoid synchronous teardown during active iteration.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

GoogleChromeapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

10 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

10 SOURCESView more in app

cyber security newsNews

Apr 16, 2026

Critical Chrome Vulnerabilities Let Attackers Execute Arbitrary Code - Update Now!

A critical use-after-free vulnerability in Chrome's Prerender function that could enable arbitrary code execution.

cvefeed high severityNews

Apr 15, 2026

CVE-2026-6299 - Google Chrome Prerender Use After Free Arbitrary Code Execution

A critical use-after-free vulnerability in the Prerender component of Google Chrome that allows remote code execution via a crafted HTML page.

chrome releases blogNews

Apr 15, 2026

Chrome Releases: Stable Channel Update for Desktop

A critical use-after-free vulnerability in Prerender in Google Chrome.

zeropath blogNews

Apr 15, 2026

Google Chrome CVE-2026-6299: Brief Summary of a Critical Use After Free in Prerender - ZeroPath Blog | ZeroPath

A critical use-after-free remote code execution vulnerability in Google Chrome's Prerender feature caused by synchronous destruction of a live WebContents during prerender cancellation.

+1 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity4

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2026-6299

NVD

nvd.nist.gov/vuln/detail/CVE-2026-6299

MITRE CWE · CWE-416

Use After Free

Vendor Advisory

chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop_15.html

Permissions Required

issues.chromium.org/issues/497053588