{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-6360", "assignerOrgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28", "state": "PUBLISHED", "assignerShortName": "Chrome", "dateReserved": "2026-04-15T14:28:37.731Z", "datePublished": "2026-04-15T19:04:53.135Z", "dateUpdated": "2026-04-16T03:56:09.052Z"}, "containers": {"cna": {"affected": [{"vendor": "Google", "product": "Chrome", "versions": [{"version": "147.0.7727.101", "status": "affected", "lessThan": "147.0.7727.101", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "Use after free in FileSystem in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to potentially exploit object corruption via a crafted HTML page. (Chromium security severity: High)"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Use after free", "cweId": "CWE-416"}]}], "providerMetadata": {"orgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28", "shortName": "Chrome", "dateUpdated": "2026-04-15T19:04:53.135Z"}, "references": [{"url": "https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop_15.html"}, {"url": "https://issues.chromium.org/issues/497880137"}]}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-15T00:00:00+00:00", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3", "id": "CVE-2026-6360"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-16T03:56:09.052Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-6360", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-15T20:04:39.968586Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-15T20:04:48.843Z"}}], "cna": {"affected": [{"vendor": "Google", "product": "Chrome", "versions": [{"status": "affected", "version": "147.0.7727.101", "lessThan": "147.0.7727.101", "versionType": "custom"}]}], "references": [{"url": "https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop_15.html"}, {"url": "https://issues.chromium.org/issues/497880137"}], "descriptions": [{"lang": "en", "value": "Use after free in FileSystem in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to potentially exploit object corruption via a crafted HTML page. (Chromium security severity: High)"}], "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-416", "description": "Use after free"}]}], "providerMetadata": {"orgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28", "shortName": "Chrome", "dateUpdated": "2026-04-15T19:04:53.135Z"}}}, "cveMetadata": {"cveId": "CVE-2026-6360", "state": "PUBLISHED", "dateUpdated": "2026-04-16T03:56:09.052Z", "dateReserved": "2026-04-15T14:28:37.731Z", "assignerOrgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28", "datePublished": "2026-04-15T19:04:53.135Z", "assignerShortName": "Chrome"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*", "matchCriteriaId": "571DC362-C7E4-4FA4-A493-9DD22A4DACC6", "versionEndExcluding": "147.0.7727.101", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Use after free in FileSystem in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to potentially exploit object corruption via a crafted HTML page. (Chromium security severity: High)"}], "id": "CVE-2026-6360", "lastModified": "2026-04-17T19:20:59.650", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-15T20:16:42.830", "references": [{"source": "chrome-cve-admin@google.com", "tags": ["Vendor Advisory"], "url": "https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop_15.html"}, {"source": "chrome-cve-admin@google.com", "tags": ["Issue Tracking", "Permissions Required"], "url": "https://issues.chromium.org/issues/497880137"}], "sourceIdentifier": "chrome-cve-admin@google.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-416"}], "source": "chrome-cve-admin@google.com", "type": "Primary"}]}

{"bugzilla": {"description": "chromium-browser: Use after free in FileSystem", "id": "2458809", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2458809"}, "csaw": false, "cvss3": {"cvss3_base_score": "9.6", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-825", "details": ["An use after free flaw was found in the FileSystem component of the Chromium browser.\nUpstream bug(s):\nhttps://code.google.com/p/chromium/issues/detail?id=497880137"], "name": "CVE-2026-6360", "public_date": "2026-04-15T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-6360\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-6360\nhttps://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop_15.html\nhttps://issues.chromium.org/issues/497880137"], "statement": "Red Hat Product Security rates the severity of this flaw as determined by the Google Chrome Security Advisory.", "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[147.0.7727.101,147.0.7727.101)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Chrome", "source": "cna", "vendor": "Google"}, "product": "chrome", "vendor": "google"}], "analysis": {"en": {"generated_at": "2026-04-17T08:50:55.494470+00:00", "value": {"mitigation_remediation": ["Upgrade Chrome to version 147.0.7727.101 or later.", "Ensure automatic updates are enabled so that future security patches are installed promptly.", "Avoid navigating to or loading untrusted HTML content until the browser is updated."], "summary": {"action": "Apply Patch", "impact": "Object Corruption via Remote Attacker"}, "threat_synthesis": {"affected_systems": "The flaw affects all installations of Google Chrome on every platform when the installed version is earlier than 147.0.7727.101, regardless of operating system.", "description_and_impact": "Google Chrome versions older than 147.0.7727.101 contain a use\u2011after\u2011free flaw in the FileSystem module, identified as CWE\u2011416. The vulnerability arises when a maliciously crafted HTML page is rendered, allowing the browser to read or write to a memory object that has already been freed, potentially leading to object corruption. This issue also involves improper bounds checking, corresponding to CWE\u2011825. Based on the description, it is inferred that the corruption could result in unintended behavior, including possible code execution if an exploit chain is executed.", "risk_and_exploitability": "The vulnerability carries a high severity rating, with a CVSS score of 8.8. The likelihood of exploitation in the wild is very low, and it is not listed among publicly known exploited vulnerabilities. Attackers can deliver the crafted HTML page remotely through normal web content, triggering the use\u2011after\u2011free without requiring additional privileges. Successful exploitation would depend on additional conditions such as the presence of other vulnerabilities and host configuration."}}}}, "created": "2026-04-15T22:00:06.470355+00:00", "updated": "2026-04-17T09:00:10.942270+00:00", "vendors": ["google", "google$PRODUCT$chrome"]}