Description
Use after free in XR in Google Chrome on Android prior to 147.0.7727.101 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. (Chromium security severity: Critical)
Published: 2026-04-15
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Out-of-bounds memory read via crafted HTML page (use-after-free in XR)
Action: Immediate Patch
AI Analysis

Impact

A use-after-free vulnerability in the XR component of Google Chrome on Android allows a remote attacker to trigger an out-of-bounds memory read through a crafted HTML page. This flaw is classified as CWE‑416 and CWE‑125 and is considered critical in Chromium's security rating, suggesting that a successful exploitation could compromise data confidentiality and potentially enable further malicious actions in the browser session.

Affected Systems

Google Chrome for Android users running versions prior to 147.0.7727.101 are impacted. The vulnerability is confined to the XR component and does not affect non-Android distributions or newer Chrome versions that have addressed the issue.

Risk and Exploitability

The CVSS score of 8.8 indicates high severity. Because the flaw can be triggered by a simple web page, the attack surface is wide from any network the device connects to. Even without publicly disclosed exploits, the critical nature of the vulnerability, as rated by Chromium, demands immediate remediation. Attackers can read arbitrary memory, which may be leveraged for credential theft or as a foothold for further exploitation. Prompt patching is essential.

Generated by OpenCVE AI on April 16, 2026 at 09:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Chrome Android to version 147.0.7727.101 or newer.
  • Disable XR/VR functionality if it is not required to reduce the attack surface.
  • Apply site filtering or browser extensions that block suspicious or unknown HTML pages until the patch is applied.

Generated by OpenCVE AI on April 16, 2026 at 09:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6214-1 chromium security update
History

Fri, 17 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:google:chrome:*:*:*:*:*:android:*:*

Thu, 16 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Title chromium-browser: Use after free in XR
Weaknesses CWE-125
References
Metrics threat_severity

None

 threat_severity

Important

Wed, 15 Apr 2026 22:00:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Wed, 15 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 15 Apr 2026 19:30:00 +0000

Type Values Removed Values Added
Description Use after free in XR in Google Chrome on Android prior to 147.0.7727.101 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. (Chromium security severity: Critical)
Weaknesses CWE-416
References

Subscriptions

Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-04-16T03:55:54.349Z

Reserved: 2026-04-15T14:28:37.111Z

Link: CVE-2026-6358

cve-icon Vulnrichment

Updated: 2026-04-15T19:46:03.979Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-15T20:16:42.363

Modified: 2026-04-17T19:09:32.523

Link: CVE-2026-6358

cve-icon Redhat

Severity : Important

Publid Date: 2026-04-15T00:00:00Z

Links: CVE-2026-6358 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T09:15:30Z

Weaknesses