CVE-2026-6317

High

Published: 15 April 2026

Published

15 April 2026

Modified

17 April 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Score 0.0014 33.5th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

Use after free in Cast in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: High)

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly addresses the CVE by requiring timely identification, reporting, and remediation of flaws such as the use-after-free vulnerability through patching Chrome to version 147.0.7727.101 or later.

SI-16 Memory Protection good match

prevent

Implements memory protection mechanisms like ASLR, DEP, and stack canaries that directly mitigate use-after-free exploits by preventing unauthorized code execution from corrupted memory.

SI-3 Malicious Code Protection partial match

preventdetect

Deploys malicious code protection tools that can block or detect exploitation attempts via crafted HTML pages leading to arbitrary code execution in the browser.

Security SummaryAI

CVE-2026-6317 is a use-after-free vulnerability (CWE-416) in the Cast component of Google Chrome versions prior to 147.0.7727.101. It allows a remote attacker to execute arbitrary code by tricking a user into visiting a crafted HTML page. The vulnerability carries a Chromium security severity rating of High and a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), indicating high impact on confidentiality, integrity, and availability.

A remote attacker can exploit this vulnerability over the network with low complexity and no required privileges, but it requires user interaction, such as opening a malicious HTML page. Successful exploitation enables arbitrary code execution within the context of the browser, potentially leading to full compromise of the affected system.

Mitigation details are available in the Chrome Releases stable channel update announcement at https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop_15.html and the associated Chromium issue tracker at https://issues.chromium.org/issues/500091052. Users should update to Google Chrome 147.0.7727.101 or later to address the issue.

Details

CWE(s): CWE-416

Affected Products

google

chrome

≤ 147.0.7727.101

MITRE ATT&CK Enterprise TechniquesAI

T1189 Drive-by Compromise Initial Access

Adversaries may gain access to a system through a user visiting a website over the normal course of browsing.

attack.mitre.org →

T1203 Exploitation for Client Execution Execution

Adversaries may exploit software vulnerabilities in client applications to execute code.

attack.mitre.org →

Why these techniques?

The vulnerability is a use-after-free in Google Chrome exploited via a crafted HTML page, enabling drive-by compromise (T1189) and exploitation for client execution (T1203) through remote arbitrary code execution requiring user interaction to visit the malicious page.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop_15.html
Release Notes, Vendor Advisory · chrome-cve-admin@google.com
https://issues.chromium.org/issues/500091052
Permissions Required · chrome-cve-admin@google.com