Google Chrome Use-After-Free Vulnerability in Video Component (CVE-2026-6359)
CVE-2026-6359 is a use-after-free vulnerability in the Video component of Google Chrome on Windows prior to version 147.0.7727.101, allowing a remote attacker who has compromised the renderer process to achieve out-of-bounds memory access via a crafted HTML page.
CVE-2026-6359 is a high-severity vulnerability affecting Google Chrome on Windows. Specifically, a use-after-free flaw exists in the Video component of Chrome versions prior to 147.0.7727.101. The vulnerability can be exploited by a remote attacker who has already achieved compromise of the renderer process. By crafting a malicious HTML page, the attacker can trigger the use-after-free condition, leading to out-of-bounds memory access. This could potentially allow the attacker to execute arbitrary code or cause a denial-of-service condition. The Chromium security team has rated this vulnerability as "High" severity. This vulnerability was patched in the stable channel update released on April 15, 2026.
Attack Chain
- Attacker crafts a malicious HTML page designed to trigger the use-after-free vulnerability in Chrome's video processing component.
- The attacker compromises the renderer process, potentially through a separate vulnerability or social engineering.
- The compromised renderer process navigates to the malicious HTML page.
- The HTML page attempts to access a video object that has already been freed from memory.
- The use-after-free condition triggers, leading to memory corruption.
- The attacker leverages the memory corruption to gain out-of-bounds memory access.
- The attacker can potentially use this out-of-bounds access to execute arbitrary code within the context of the renderer process.
- The attacker pivots from the renderer process to further compromise the system, potentially exfiltrating data or installing malware.
Impact
Successful exploitation of CVE-2026-6359 allows a remote attacker to perform out-of-bounds memory access. While the initial vulnerability requires a compromised renderer process, successful exploitation could lead to arbitrary code execution, data exfiltration, or denial of service. The impact is significant for organizations relying on Chrome for Windows, potentially affecting all users who have not updated to version 147.0.7727.101 or later. The scope of impact depends on the attacker's objectives after gaining code execution, and could range from stealing credentials to deploying ransomware.
Recommendation
- Upgrade Google Chrome on Windows to version 147.0.7727.101 or later to patch CVE-2026-6359.
- Deploy the Sigma rule
Detect Chrome Use-After-Free via HTMLto your SIEM to detect potential exploitation attempts. - Monitor network traffic for suspicious activity originating from Chrome processes using network connection logs, potentially indicating post-exploitation behavior.
- Enable process creation logging via Sysmon to capture details of spawned processes from Chrome, assisting in identifying potential exploit payloads.
Detection coverage 2
Detect Chrome Use-After-Free via HTML
highDetects attempts to exploit Chrome use-after-free vulnerabilities by monitoring for suspicious HTML pages being accessed.
Detect Chrome Renderer Process Exploitation
mediumDetects potential exploitation of Chrome renderer processes by monitoring for unusual spawned processes.
Detection queries are available on the platform. Get full rules →
Indicators of compromise
1
| Type | Value |
|---|---|
| [email protected] |