Description
Use after free in Codecs in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium)
Published: 2026-04-15
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Patch Now
AI Analysis

Impact

The vulnerability is a use‑after‑free flaw in the codecs component of Google Chrome that allows a maliciously crafted HTML page to trigger a memory error inside the browser process. This flaw, identified as CWE‑416, can lead to the execution of arbitrary code while the browser runs in its sandboxed environment and could compromise the confidentiality, integrity, and availability of the user’s data. The issue is also classified as CWE‑825, indicating an additional weakness that may contribute to or compound the exploitability.

Affected Systems

Google Chrome versions earlier than 147.0.7727.101 are affected. The issue exists on all supported operating systems until the user updates to this release or a newer one.

Risk and Exploitability

The likely attack vector is a remote web‑based delivery of a specially crafted HTML page. The CVSS score of 8.8 indicates a high severity flaw, and EPSS is not available, indicating uncertain but potentially low exploitation probability. The vulnerability offers a native code execution path that could be leveraged by an adversary to compromise the browser sandbox and potentially pivot to other system resources. KEV does not list this vulnerability. Although no current exploitation reports exist, the high severity warrants immediate mitigation.

Generated by OpenCVE AI on April 17, 2026 at 06:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update to Chrome version 147.0.7727.101 or newer using the browser’s auto‑update feature
  • If a timely update is not possible, restrict the browser from loading external HTML content from untrusted domains by configuring network or firewall rules, or by using a browser extension that blocks unknown sites
  • Until a patch is applied, enforce stricter content security policies to suppress the loading of untrusted scripts and prevent the HTML from executing code within the browser
  • Consider disabling the Chromium video decoding extensions that consume the vulnerable codecs module, if the product configuration allows it

Generated by OpenCVE AI on April 17, 2026 at 06:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6214-1 chromium security update
History

Fri, 17 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows
CPEs cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows

Thu, 16 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Thu, 16 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Title chromium-browser: Use after free in Codecs
Weaknesses CWE-825
References
Metrics threat_severity

None

 cvssV3_1

{'score': 9.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H'}

threat_severity

Moderate

Wed, 15 Apr 2026 22:45:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Wed, 15 Apr 2026 19:30:00 +0000

Type Values Removed Values Added
Description Use after free in Codecs in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium)
Weaknesses CWE-416
References

Subscriptions

Apple Macos
Google Chrome
Linux Linux Kernel
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-04-16T09:58:26.278Z

Reserved: 2026-04-14T18:12:28.207Z

Link: CVE-2026-6318

cve-icon Vulnrichment

Updated: 2026-04-16T09:58:13.973Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-15T20:16:42.020

Modified: 2026-04-17T19:08:23.543

Link: CVE-2026-6318

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-15T00:00:00Z

Links: CVE-2026-6318 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T06:30:11Z

Weaknesses