CVE-2026-6316

High

Published: 15 April 2026

Published

15 April 2026

Modified

17 April 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Score 0.0014 33.5th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

Use after free in Forms in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mandates timely identification, reporting, and correction of software flaws like the use-after-free vulnerability in Chrome Forms via patch deployment to version 147.0.7727.101.

SI-16 Memory Protection partial match

prevent

Implements memory safeguards such as ASLR, DEP, and sandboxing enhancements that hinder arbitrary code execution from use-after-free exploits in Chrome.

RA-5 Vulnerability Monitoring and Scanning partial match

detect

Requires vulnerability scanning to identify deployed instances of vulnerable Google Chrome versions affected by CVE-2026-6316.

Security SummaryAI

CVE-2026-6316 is a use-after-free vulnerability (CWE-416) in the Forms component of Google Chrome prior to version 147.0.7727.101. Published on 2026-04-15, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) and is classified as High severity by Chromium security.

A remote attacker can exploit this vulnerability via a crafted HTML page, achieving arbitrary code execution inside the browser's sandbox. Exploitation requires user interaction, such as loading the malicious page, but needs no privileges and has low complexity over the network.

Mitigation is available in Google Chrome version 147.0.7727.101 and later, as announced in the stable channel update for desktop on the Chrome Releases blog (https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop_15.html) and detailed in the Chromium issue tracker (https://issues.chromium.org/issues/499384399). Security practitioners should advise users to update promptly.

Details

CWE(s): CWE-416

Affected Products

google

chrome

≤ 147.0.7727.101

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution

Adversaries may exploit software vulnerabilities in client applications to execute code.

attack.mitre.org →

Why these techniques?

The vulnerability is a use-after-free in Google Chrome's Forms component exploited via a crafted HTML page for arbitrary code execution in the browser sandbox, directly enabling Exploitation for Client Execution (T1203).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop_15.html
Release Notes, Vendor Advisory · chrome-cve-admin@google.com
https://issues.chromium.org/issues/499384399
Permissions Required · chrome-cve-admin@google.com