CVE-2026-6358

High

Published: 15 April 2026

Published

15 April 2026

Modified

17 April 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Score 0.0012 30.1th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

Use after free in XR in Google Chrome on Android prior to 147.0.7727.101 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. (Chromium security severity: Critical)

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mandates timely identification, reporting, and patching of critical flaws like this use-after-free vulnerability in Chrome XR, preventing exploitation.

SI-16 Memory Protection good match

prevent

Implements memory safeguards that protect against use-after-free vulnerabilities by preventing unauthorized disclosure, modification, or execution of out-of-bounds memory.

RA-5 Vulnerability Monitoring and Scanning partial match

prevent

Requires vulnerability scanning to detect and remediate instances of vulnerable Chrome versions affected by CVE-2026-6358 prior to exploitation.

Security SummaryAI

CVE-2026-6358 is a use-after-free vulnerability (CWE-416) in the XR component of Google Chrome on Android versions prior to 147.0.7727.101. It enables a remote attacker to perform an out-of-bounds memory read through a crafted HTML page. The issue carries a Chromium security severity rating of Critical and a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), indicating high impact on confidentiality, integrity, and availability.

A remote attacker can exploit this vulnerability over the network with low complexity and no privileges required, though it necessitates user interaction such as visiting a malicious site. Successful exploitation allows arbitrary out-of-bounds memory reads, potentially leading to sensitive data exposure, code execution, or system compromise on affected Android devices running vulnerable Chrome versions.

Google's Chrome Releases blog announces a stable channel update addressing this issue, with the fix included in version 147.0.7727.101. Additional details are available in Chromium issue tracker entry 497724498. Users should update to the patched version to mitigate the risk.

Details

CWE(s): CWE-416

Affected Products

google

chrome

≤ 147.0.7727.101

MITRE ATT&CK Enterprise TechniquesAI

T1189 Drive-by Compromise Initial Access

Adversaries may gain access to a system through a user visiting a website over the normal course of browsing.

attack.mitre.org →

T1203 Exploitation for Client Execution Execution

Adversaries may exploit software vulnerabilities in client applications to execute code.

attack.mitre.org →

Why these techniques?

The vulnerability is a use-after-free in Chrome exploited via a crafted HTML page from a remote attacker, enabling drive-by compromise (T1189) and exploitation for client execution (T1203) through user interaction like visiting a malicious site.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop_15.html
Release Notes, Vendor Advisory · chrome-cve-admin@google.com
https://issues.chromium.org/issues/497724498
Permissions Required · chrome-cve-admin@google.com