CVE-2026-6919

Critical

Published: 23 April 2026

Published

23 April 2026

Modified

24 April 2026

KEV Added

—

Patch

—

CVSS Score 9.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

EPSS Score 0.0012 30.1th percentile

Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Description

Use after free in DevTools in Google Chrome prior to 147.0.7727.117 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Requires timely identification, reporting, and patching of the specific use-after-free flaw in Chrome DevTools, preventing sandbox escape exploitation.

SI-16 Memory Protection partial match

prevent

Implements memory protection mechanisms like ASLR and DEP to mitigate exploitation of the use-after-free vulnerability in the compromised renderer process.

SC-39 Process Isolation partial match

prevent

Enforces process isolation to contain the impact of potential sandbox escapes from the compromised Chrome renderer process.

Security SummaryAI

CVE-2026-6919 is a use-after-free vulnerability (CWE-416) in the DevTools component of Google Chrome prior to version 147.0.7727.117. This flaw, published on 2026-04-23, carries a CVSS v3.1 base score of 9.6 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H) and is rated High severity by Chromium security.

The vulnerability can be exploited by a remote attacker who has already compromised the renderer process, using a crafted HTML page to potentially achieve a sandbox escape. Exploitation requires user interaction, such as visiting a malicious site, but leverages network access with low complexity and no privileges.

Google addressed the issue in Chrome stable channel version 147.0.7727.117, as announced in the Chrome Releases blog post at https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop_22.html and tracked in Chromium issue 493652473 at https://issues.chromium.org/issues/493652473. Security practitioners should prioritize updating affected Chrome installations to mitigate this high-severity sandbox escape risk.

Details

CWE(s): CWE-416

Affected Products

google

chrome

≤ 147.0.7727.116

MITRE ATT&CK Enterprise TechniquesAI

T1211 Exploitation for Stealth Stealth

Adversaries may exploit vulnerabilities to evade detection by hiding activity, suppressing logging, or operating within trusted or unmonitored components.

attack.mitre.org →

Why these techniques?

Use-after-free vulnerability in Chrome DevTools exploited via crafted HTML page enables sandbox escape, directly facilitating T1211 (Exploitation for Defense Evasion).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop_22.html
Release Notes · chrome-cve-admin@google.com
https://issues.chromium.org/issues/493652473
Vendor Advisory, Permissions Required · chrome-cve-admin@google.com