EXECUTIVE SUMMARY:
Multiple security vulnerabilities have been identified in Google Chrome versions 146 and earlier, primarily affecting its graphics and rendering components. The vulnerabilities encompass a range of issues, including remote code execution (RCE) and use-after-free (UAF) bugs. Business risk and impact are substantial, as these flaws could allow attackers to escape the browser's sandbox, leading to arbitrary code execution and potentially compromising sensitive data. This situation demands immediate attention from security administrators to prevent exploitation and protect enterprise environments.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
Multiple security vulnerabilities have been identified in Google Chrome versions 146 and earlier, primarily affecting its graphics and rendering components. The vulnerabilities encompass a range of issues, including remote code execution (RCE) and use-after-free (UAF) bugs. Business risk and impact are substantial, as these flaws could allow attackers to escape the browser's sandbox, leading to arbitrary code execution and potentially compromising sensitive data. This situation demands immediate attention from security administrators to prevent exploitation and protect enterprise environments.[emaillocker id="1283"]
CVE-2026-6296 with a CVSS score of 9.6 – A critical heap buffer overflow in ANGLE allows a remote attacker to escape the browser's sandbox via a specially crafted HTML page, leading to arbitrary code execution.
CVE-2026-6297 with a CVSS score of 8.3 – A use-after-free bug in the Proxy component can be exploited by a remote attacker to execute arbitrary code.
CVE-2026-6298 with a CVSS score of 4.3 – A heap buffer overflow in the Skia 2D graphics library allows a remote attacker to potentially execute arbitrary code.
CVE-2026-6299 with a CVSS score of 8.8 – A use-after-free vulnerability in the browser's Prerender mechanism enables a remote attacker to execute arbitrary code.
CVE-2026-6358 with a CVSS score of 8.8 – A use-after-free flaw in Chrome's Extended Reality (XR) implementation can be exploited by a remote attacker to execute arbitrary code.
CVE-2026-6301 with a CVSS score of 8.8 – A Type Confusion vulnerability in Turbofan allows a remote attacker to potentially execute arbitrary code.
CVE-2026-6307 with a CVSS score of 8.8 – A Type Confusion vulnerability in Turbofan enables a remote attacker to potentially execute arbitrary code.
CVE-2026-6364 – An out-of-bounds read in Skia can be exploited by a remote attacker to access sensitive data.
The concentration of memory safety issues in this release demands immediate attention from security administrators to accelerate deployment across enterprise environments and close critical windows of exploitation. If exploited, these vulnerabilities could allow attackers to compromise sensitive data, disrupt business operations, and damage reputation.
RECOMMENDATION:
We recommend you to update Google Chrome to version 147.0.7727.101/102.
REFERENCES:
The following reports contain further technical details:
https://securityonline.info/google-chrome-security-update-90k-bounty-cve-2026-6296/