Description
Use after free in Cast in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: High)
Published: 2026-04-15
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Apply Patch
AI Analysis

Impact

A use‑after‑free vulnerability in the Cast module of Google Chrome allows a remote attacker to execute arbitrary code by serving a specially crafted HTML page. The flaw exists in all Chrome releases prior to 147.0.7727.101 and has a Chromium security severity of High.

Affected Systems

The affected product is Google Chrome; the flaw impacts any installation before version 147.0.7727.101. Systems running later Chrome releases are not impacted.

Risk and Exploitability

The vulnerability can be exploited remotely from any web page when a user visits the crafted HTML, leading to code execution with the privileges of the user. EPSS data is not available and the flaw is not yet listed in the CISA KEV catalog, but with a CVSS score of 8.8 and a use‑after‑free weakness (CWE‑416) this indicates a high severity risk if left unpatched. The likely attack vector is a crafted web page that engages the Cast feature; attackers can drop malicious pages via compromised sites or phishing. The overall risk remains high until the vendor releases a patch.

Generated by OpenCVE AI on April 15, 2026 at 21:57 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Chrome to version 147.0.7727.101 or newer.
  • Disable the Cast functionality via Chrome settings or enterprise policy until the patch is applied.
  • Ensure automatic updates for Chrome are enabled so that future security fixes are installed promptly.

Generated by OpenCVE AI on April 15, 2026 at 21:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 16 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
Title Remote Code Execution via Use-After-Free in Chrome Cast Google Chrome: Chromium: Google Chrome and Chromium: Arbitrary code execution via a crafted HTML page
Weaknesses CWE-825
References
Metrics threat_severity

None

 threat_severity

Important

Wed, 15 Apr 2026 22:15:00 +0000

Type Values Removed Values Added
Title Remote Code Execution via Use-After-Free in Chrome Cast

Wed, 15 Apr 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Wed, 15 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 15 Apr 2026 19:30:00 +0000

Type Values Removed Values Added
Description Use after free in Cast in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: High)
Weaknesses CWE-416
References

Subscriptions

Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-04-16T03:55:47.518Z

Reserved: 2026-04-14T18:12:27.867Z

Link: CVE-2026-6317

cve-icon Vulnrichment

Updated: 2026-04-15T19:40:20.711Z

cve-icon NVD

Status : Received

Published: 2026-04-15T20:16:41.743

Modified: 2026-04-15T20:16:41.743

Link: CVE-2026-6317

cve-icon Redhat

Severity : Important

Publid Date: 2026-04-15T19:04:57Z

Links: CVE-2026-6317 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T22:00:06Z

Weaknesses