Description
Use after free in Codecs in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to potentially perform out of bounds memory access via a crafted video file. (Chromium security severity: High)
Published: 2026-04-15
Score: 9.6 Critical
EPSS: n/a
KEV: No
Impact: Out-of-bounds memory access
Action: Apply Patch
AI Analysis

Impact

Google Chrome versions prior to 147.0.7727.101 contain a use‑after‑free bug in the codec handling code that allows a remote attacker to craft a video file triggering an out‑of‑bounds memory read or write. This flaw is a classic memory corruption weakness classified as CWE‑416 and also as CWE‑825. The vulnerability is described as a high‑severity issue by Chromium, indicating significant potential impact, though the description does not explicitly state that it leads to arbitrary code execution.

Affected Systems

All installations of Google Chrome on supported operating systems are affected if the browser version is older than 147.0.7727.101. The vulnerability is not limited to a specific platform, so any user running a vulnerable release remains at risk.

Risk and Exploitability

An attacker can exploit the flaw by delivering a specially crafted video file to the browser, which can be done via malicious websites, email attachments, or compromised media streams. The EPSS score is not available, and the vulnerability is not currently listed in the CISA KEV catalog. Chromium rates the problem as high severity, with a CVSS score of 9.6, suggesting that, if the attack succeeds, the attacker may cause memory corruption and potential system compromise, depending on privileges and sandbox mitigations. The likely attack vector is remote, initiated through the client side.

Generated by OpenCVE AI on April 16, 2026 at 02:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Chrome to version 147.0.7727.101 or later
  • Enable Chrome’s automatic‑update feature to ensure future patches are applied
  • Restrict playback of untrusted video content by disabling extensions that expose arbitrary video files or by configuring sandbox settings to limit file system access during video decoding

Generated by OpenCVE AI on April 16, 2026 at 02:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 16 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Title chromium-browser: Use after free in Codecs
Weaknesses CWE-825
References
Metrics threat_severity

None

 cvssV3_1

{'score': 9.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H'}

threat_severity

Important

Wed, 15 Apr 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Wed, 15 Apr 2026 19:30:00 +0000

Type Values Removed Values Added
Description Use after free in Codecs in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to potentially perform out of bounds memory access via a crafted video file. (Chromium security severity: High)
Weaknesses CWE-416
References

Subscriptions

Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-04-15T19:04:57.143Z

Reserved: 2026-04-15T14:28:38.226Z

Link: CVE-2026-6362

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-15T20:16:43.557

Modified: 2026-04-15T20:16:43.557

Link: CVE-2026-6362

cve-icon Redhat

Severity : Important

Publid Date: 2026-04-15T00:00:00Z

Links: CVE-2026-6362 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T02:30:21Z

Weaknesses