Chrome use-after-free RCE via Prerender (CVE-2026-6299)

Vendor-confirmed - CVE-2026-6299 is a high-severity use-after-free in Google Chrome version 147.0.7727.100 and earlier that grants remote code execution via a malicious HTML page. Update to version 147.0.7727.101 to mitigate exploitation risk.

Overview

A critical memory corruption vulnerability, identified as CVE-2026-6299, has been patched in Google Chrome. This flaw exists in the browser’s Prerender component, a feature that loads pages in the background to speed up navigation. The vulnerability is rated with a high severity CVSS score of 8.8.

Vulnerability Details

The vulnerability is a use-after-free (UAF) bug within Chrome’s Prerender implementation. This type of memory safety issue occurs when a program continues to use a pointer to a memory location after it has been freed, which can corrupt valid data or executable code. In this case, a remote attacker could exploit this flaw by crafting a malicious HTML page. When a user visits this page, the attacker could potentially gain the ability to execute arbitrary code on the victim’s system.

Impact and Attack Vector

The impact of successful exploitation is severe, leading to remote code execution (RCE) within the context of the Chrome browser. This could allow an attacker to install malware, steal sensitive data, or take other malicious actions on the compromised machine. The attack vector is network-based, requiring low attack complexity and no user privileges. However, exploitation does require user interaction, such as visiting a malicious website.

Remediation and Mitigation

The primary and most effective remediation is to update Google Chrome immediately. Google has addressed this vulnerability in version 147.0.7727.101 and later. Chrome updates automatically by default, but users and administrators should verify their browsers are up to date.

To update Chrome:

1. Click the three-dot menu in the top-right corner.
2. Navigate to Help > About Google Chrome.
3. The browser will check for and install any available update. Ensure the version is 147.0.7727.101 or higher.
4. Relaunch the browser to complete the update.

Until the patch is applied, exercise caution when browsing and avoid clicking on links from untrusted sources. Enterprise administrators should ensure the update is deployed across their managed browser fleet.

Security Insight

This vulnerability underscores the persistent challenge of memory safety in large, complex codebases like browser engines, even in components designed for performance optimization like Prerender. It follows a pattern seen in other high-severity browser flaws, such as those previously exploited in Chrome’s V8 and Skia components. While not currently confirmed as actively exploited, its critical nature makes it a prime target, highlighting the critical importance of rapid patch deployment in the face of potent client-side attack vectors.

Update - May 2026

As of mid-May 2026, CVE-2026-6299 remains unpatched for users still running Chrome prior to version 147.0.7727.101. Google has not issued a new advisory or an emergency patch release beyond the original April fix. The vulnerability has not been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog, though analysts should continue monitoring for inclusion given its remote code execution potential and Chromium-critical rating.

EPSS probability has seen a marginal uptick from 0.00048 to 0.0005 (15th percentile), indicating low but slightly rising exploit activity in the wild. No confirmed reports of widespread exploitation have been published by Google Threat Analysis Group or major security vendors. However, proof-of-concept code demonstrating the use-after-free in Prerender has circulated in private exploit trading forums since late April.

Two related Chromium use-after-free vulnerabilities-CVE-2026-6302 (V8) and CVE-2026-6305 (Service Workers)-were disclosed in the same Chrome update window. Defenders should treat all three as a cluster requiring coordinated patching.

Recommended actions: Prioritize updating all Chrome instances to 147.0.7727.101 or later. Apply browser isolation controls for untrusted sites. Enable endpoint detection rules targeting Chrome child-process crashes as an early indicator of exploitation attempts. Monitor for newly added KEV entries weekly.

Further Reading

• Google Adds 24-Hour Wait for Unverified App Sideloading
• DarkSword iOS Exploit Kit Uses 6 Flaws, 3 Zero-Days for
• Google Fixes Two Chrome Zero-Days Exploited in the Wild
• All High Vulnerabilities
• Recent Critical Vulnerabilities
• Top Critical CVEs