Chrome sandbox escape via CSS use-after-free (CVE-2026-6300)

Vendor-confirmed - CVE-2026-6300 is a high severity use-after-free in Google Chrome that grants remote code execution when a user visits a crafted webpage. Update to version 147.0.7727.101 or later.

Overview

A high-severity vulnerability, tracked as CVE-2026-6300, has been patched in Google Chrome. This flaw is a use-after-free memory corruption bug within the browser’s CSS engine. If successfully exploited, it could allow an attacker to execute arbitrary code within the Chrome sandbox.

Vulnerability Details

The vulnerability is a use-after-free in Chrome’s Cascading Style Sheets (CSS) processing component. A use-after-free occurs when a program continues to use a pointer to a memory location after it has been freed, which can corrupt valid data or enable code execution. In this case, the flaw could be triggered when a user visits a specially crafted, malicious webpage. The attack complexity is low, requires no user privileges, and only needs the user to interact with the page, such as by clicking a link.

Impact

The primary risk is remote code execution (RCE) within the confines of the Chrome sandbox. While the sandbox is designed to limit the damage of such exploits by restricting access to the underlying operating system, a sandbox escape is often the next goal for attackers. A successful exploit could allow an attacker to steal sensitive data from browser sessions, install malware, or use the compromised browser as a foothold for further attacks on a network. The CVSS score of 8.8 reflects the high potential impact.

Remediation and Mitigation

The fix is available in Google Chrome version 147.0.7727.101 and later. All users and administrators should take immediate action.

To update Google Chrome:

1. Open Chrome.
2. Click the three-dot menu in the top-right corner.
3. Navigate to Help > About Google Chrome.
4. The browser will automatically check for and begin installing the update. Relaunch Chrome to complete the process.

Ensure updates are applied across all managed endpoints. For enterprise deployments using Google Chrome Enterprise, updates can be deployed through standard management tools. As a general security practice, users should exercise caution with unsolicited links and emails.

Security Insight

This vulnerability highlights the persistent threat surface presented by complex web rendering engines. While not currently observed in active attacks, memory corruption flaws in core components like the CSS engine are highly attractive to exploit kit developers, as seen in campaigns like the DarkSword iOS Exploit Kit. Google’s rapid patch cadence, similar to its response to recent zero-days, is critical for defense, but it also underscores the need for automated, timely updates to close these brief windows of exposure.

Further Reading

• Google Adds 24-Hour Wait for Unverified App Sideloading
• DarkSword iOS Exploit Kit Uses 6 Flaws, 3 Zero-Days for
• Google Fixes Two Chrome Zero-Days Exploited in the Wild
• All High Vulnerabilities
• Recent Critical Vulnerabilities
• Top Critical CVEs