Chrome sandbox escape via type confusion (CVE-2026-6301)

Vendor-confirmed - CVE-2026-6301 is a high type confusion vulnerability in Google Chrome prior to 147.0.7727.101 that allows an attacker to execute arbitrary code on a victim’s system and potentially escape the browser security sandbox by tricking the V8 Turbofan compiler into misinterpreting data types.

Overview

A high-severity vulnerability, tracked as CVE-2026-6301, has been patched in Google Chrome. This flaw is a type confusion issue within the V8 JavaScript engine’s Turbofan compiler. Successful exploitation could allow an attacker to execute arbitrary code on a victim’s system and potentially escape the browser’s security sandbox.

Vulnerability Details

The vulnerability exists in versions of Google Chrome prior to 147.0.7727.101. It is classified as a type confusion flaw in the Turbofan optimization component. In simple terms, this means the browser’s JavaScript engine can be tricked into treating a piece of data as a different type than it actually is (for example, treating an integer as a memory pointer). This confusion corrupts the browser’s memory and creates an opportunity for an attacker to take control of the program’s execution flow.

The attack vector is network-based, requiring low complexity and no user privileges. However, it does require user interaction, such as a victim visiting a malicious or compromised website hosting a crafted HTML page.

Impact and Risk

The primary risk is arbitrary code execution. If exploited, this vulnerability could allow a remote attacker to run malicious code on a user’s computer with the privileges of the Chrome process. The high CVSS score of 8.8 reflects the significant danger, particularly the potential for the malicious code to break out of Chrome’s built-in sandbox-a critical security boundary designed to contain such attacks.

While there is no current confirmation from CISA that this vulnerability is being actively exploited in the wild, its severity and technical nature make it a prime target for attackers. Organizations and users should treat this patch as a high priority.

Remediation and Mitigation

The fix is straightforward: update Google Chrome immediately.

Action Required:

• Update Google Chrome to version 147.0.7727.101 or later.
• The update should be applied automatically. To manually update, navigate to Chrome menu (⋮) > Help > About Google Chrome. The browser will check for and apply the update.
• Restart the browser after the update is complete to ensure the patch is active.

For managed environments, ensure your deployment tools are pushing this version. There are no known effective workarounds; applying the update is the only complete mitigation.

Security Insight

This type confusion flaw in V8’s Turbofan engine is a recurring theme in Chrome security, reminiscent of past high-severity issues like those exploited in the wild and patched previously. It highlights the persistent challenge of securing complex, performance-critical JIT (Just-In-Time) compilers against memory corruption attacks, a battle also seen in other platforms like the DarkSword iOS exploit kit. Google’s rapid patch cycle underscores the necessity of automated browser updates as a first line of defense.

Update - May 2026

As of May 13, 2026, CVE-2026-6301 has not been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog, but organizations should continue monitoring for possible inclusion. The Exploit Prediction Scoring System (EPSS) score remains low at 0.0004 (11th percentile), up slightly from 0.00036 at initial publication - indicating minimal active exploitation in the wild.

Patch status: Google released the fix in Chrome 147.0.7727.101 on April 15, 2026. All users and enterprise administrators should ensure browsers are updated to this version or later. No subsequent Chrome releases have introduced further patches for this CVE.

Related CVEs: No CVEs specifically tied to the same TurboFan type confusion vector have been published since April, but the ongoing Chromium security update cadence continues to address related V8 engine issues. Defenders should track all Chrome releases for subsequent high-severity fixes.

Real-world observations: No confirmed mass exploitation or public proof-of-concept code has been observed. However, sandbox escape chains combining this type confusion with a separate kernel-level vulnerability remain a plausible attack scenario.

Recommended actions: Prioritize Chrome updates across all endpoints. Enable browser isolation policies. Monitor endpoint detection and response (EDR) logs for anomalous child process execution from Chrome, especially those invoking cmd.exe, powershell.exe, or bash. Review sandbox bypass indicators and apply application control where feasible.

Further Reading

• Google Adds 24-Hour Wait for Unverified App Sideloading
• DarkSword iOS Exploit Kit Uses 6 Flaws, 3 Zero-Days for
• Google Fixes Two Chrome Zero-Days Exploited in the Wild
• All High Vulnerabilities
• Recent Critical Vulnerabilities
• Top Critical CVEs