CVE-2026-6315 - Vulnerability Details

- Google Chrome: Chromium: Google Chrome/Chromium: Arbitrary code execution via use-after-free vulnerability

Description

Use after free in Permissions in Google Chrome on Android prior to 147.0.7727.101 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code via a crafted HTML page. (Chromium security severity: High)

Published: 2026-04-15

Score: 8.8 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability is a use‑after‑free in the Permissions component of Google Chrome on Android prior to 147.0.7727.101. A remote attacker can execute arbitrary code if a user is compelled to perform specific UI gestures while a crafted HTML page is displayed. This flaw is classified under CWEs 416 and 825, and compromises the integrity and confidentiality of the device by allowing code execution within the browser process.

Affected Systems

Google Chrome for Android versions earlier than 147.0.7727.101 are affected. The April 2026 stable channel update (147.0.7727.101) contains the patch that mitigates this issue.

Risk and Exploitability

The CVSS score of 8.8 indicates high severity, though the EPSS score is not available and the vulnerability is not listed in CISA’s KEV catalog. The likely attack vector is a malicious web page that relies on user interaction to trigger the use‑after‑free. Once triggered, an attacker gains the same privileges as the browser, enabling arbitrary code execution on the device. The overall risk is significant due to the remote nature of the attack and the potential for widespread exploitation through crafted sites.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Google

Chrome

affected

Version	Status	Constraints
`147.0.7727.101`	affected	< 147.0.7727.101

Configuration 1 [-]

cpe:2.3:a:google:chrome:*:*:*:*:*:android:*:*

No data.

Vendor Product Confidence Versions

Google

Chrome

100%

Version	Status	Scheme	Platform
`[0,147.0.7727.101)`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update Google Chrome to the latest stable channel version (147.0.7727.101 or newer).
Use the Chrome settings to disable or restrict the Permissions API for untrusted sites through Site Settings or Content Settings.
Educate users to avoid clicking unknown links or performing unexpected UI gestures while browsing unfamiliar websites.

Generated by OpenCVE AI on April 17, 2026 at 06:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Debian DSA	DSA-6214-1	chromium security update

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00119.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop_15.html
https://issues.chromium.org/issues/499247910
https://nvd.nist.gov/vuln/detail/CVE-2026-6315
https://www.cve.org/CVERecord?id=CVE-2026-6315

History

Fri, 17 Apr 2026 19:15:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:google:chrome::::::android::*

Thu, 16 Apr 2026 12:15:00 +0000

Type	Values Removed	Values Added
Title	Use‑after‑Free in Chrome Permissions API on Android Enables Remote Code Execution	Google Chrome: Chromium: Google Chrome/Chromium: Arbitrary code execution via use-after-free vulnerability
Weaknesses		CWE-825
References		https://nvd.nist.gov/vuln/detail/CVE-2026-6315 https://www.cve.org/CVERecord?id=CVE-2026-6315
Metrics	threat_severity `None`	threat_severity `Critical`

Thu, 16 Apr 2026 02:45:00 +0000

Type	Values Removed	Values Added
Title		Use‑after‑Free in Chrome Permissions API on Android Enables Remote Code Execution

Wed, 15 Apr 2026 22:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Google Google chrome
Vendors & Products		Google Google chrome

Wed, 15 Apr 2026 20:15:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}` ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Wed, 15 Apr 2026 19:30:00 +0000

Type	Values Removed	Values Added
Description		Use after free in Permissions in Google Chrome on Android prior to 147.0.7727.101 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code via a crafted HTML page. (Chromium security severity: High)
Weaknesses		CWE-416
References		https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop_15.html https://issues.chromium.org/issues/499247910

Subscriptions

Google Chrome

MITRE

Status: PUBLISHED

Assigner: Chrome

Published: 2026-04-15T19:04:55.935Z

Updated: 2026-04-16T03:55:50.553Z

Reserved: 2026-04-14T18:12:26.786Z

Link: CVE-2026-6315

Vulnrichment

Updated: 2026-04-15T19:42:22.410Z

NVD

Status : Analyzed

Published: 2026-04-15T20:16:41.417

Modified: 2026-04-17T19:07:23.017

Link: CVE-2026-6315

Redhat

Severity : Critical

Publid Date: 2026-04-15T19:04:55Z

Links: CVE-2026-6315 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-17T06:30:11Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object