CVE-2026-6362 - Vulnerability Details

- chromium-browser: Use after free in Codecs

Description

Use after free in Codecs in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to potentially perform out of bounds memory access via a crafted video file. (Chromium security severity: High)

Published: 2026-04-15

Score: 6.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Google Chrome versions prior to 147.0.7727.101 contain a use‑after‑free bug in the codec handling code that allows a remote attacker to craft a video file triggering an out‑of‑bounds memory read or write. This flaw is a classic memory corruption weakness classified as CWE‑416 and also as CWE‑825. The vulnerability is described as a high‑severity issue by Chromium, indicating significant potential impact, though the description does not explicitly state that it leads to arbitrary code execution.

Affected Systems

All installations of Google Chrome on supported operating systems are affected if the browser version is older than 147.0.7727.101. The vulnerability is not limited to a specific platform, so any user running a vulnerable release remains at risk.

Risk and Exploitability

An attacker can exploit the flaw by delivering a specially crafted video file to the browser, which can be done via malicious websites, email attachments, or compromised media streams. The EPSS score is < 1%, and the vulnerability is not currently listed in the CISA KEV catalog. Chromium rates the problem as high severity, with a CVSS score of 6.3, suggesting that, if the attack succeeds, the attacker may cause memory corruption and potential system compromise, depending on privileges and sandbox mitigations. The likely attack vector is remote, initiated through the client side.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Google

Chrome

affected

Version	Status	Constraints
`147.0.7727.101`	affected	< 147.0.7727.101

Configuration 1 [-]

cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Google

Chrome

100%

Version	Status	Scheme	Platform
`[147.0.7727.101,147.0.7727.101)`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update Chrome to version 147.0.7727.101 or later
Enable Chrome’s automatic‑update feature to ensure future patches are applied
If an immediate upgrade is not possible, launch Chrome with the flag '--disable-software-video-decode' to force hardware decoding, which may reduce exposure to the use‑after‑free flaw

Generated by OpenCVE AI on April 17, 2026 at 07:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Debian DSA	DSA-6214-1	chromium security update

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00017.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop_15.html
https://issues.chromium.org/issues/500066234
https://nvd.nist.gov/vuln/detail/CVE-2026-6362
https://www.cve.org/CVERecord?id=CVE-2026-6362

History

Fri, 17 Apr 2026 19:30:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:google:chrome::::::::

Thu, 16 Apr 2026 14:15:00 +0000

Type	Values Removed	Values Added
Metrics	cvssV3_1 `{'score': 9.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H'}`	ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}` cvssV3_1 `{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L'}`

Thu, 16 Apr 2026 00:15:00 +0000

Type	Values Removed	Values Added
Title		chromium-browser: Use after free in Codecs
Weaknesses		CWE-825
References		https://nvd.nist.gov/vuln/detail/CVE-2026-6362 https://www.cve.org/CVERecord?id=CVE-2026-6362
Metrics	threat_severity `None`	cvssV3_1 `{'score': 9.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H'}` threat_severity `Important`

Wed, 15 Apr 2026 21:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Google Google chrome
Vendors & Products		Google Google chrome

Wed, 15 Apr 2026 19:30:00 +0000

Type	Values Removed	Values Added
Description		Use after free in Codecs in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to potentially perform out of bounds memory access via a crafted video file. (Chromium security severity: High)
Weaknesses		CWE-416
References		https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop_15.html https://issues.chromium.org/issues/500066234

Subscriptions

Google Chrome

MITRE

Status: PUBLISHED

Assigner: Chrome

Published: 2026-04-15T19:04:57.143Z

Updated: 2026-04-29T13:47:38.943Z

Reserved: 2026-04-15T14:28:38.226Z

Link: CVE-2026-6362

Vulnrichment

Updated: 2026-04-16T13:23:09.942Z

NVD

Status : Modified

Published: 2026-04-15T20:16:43.557

Modified: 2026-04-29T15:16:08.400

Link: CVE-2026-6362

Redhat

Severity : Important

Publid Date: 2026-04-15T00:00:00Z

Links: CVE-2026-6362 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-17T08:00:11Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction Required

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object