{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-6363", "assignerOrgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28", "state": "PUBLISHED", "assignerShortName": "Chrome", "dateReserved": "2026-04-15T14:28:38.485Z", "datePublished": "2026-04-15T19:04:57.982Z", "dateUpdated": "2026-04-16T03:55:45.999Z"}, "containers": {"cna": {"affected": [{"vendor": "Google", "product": "Chrome", "versions": [{"version": "147.0.7727.101", "status": "affected", "lessThan": "147.0.7727.101", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "Type Confusion in V8 in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to potentially perform out of bounds memory access via a crafted HTML page. (Chromium security severity: Medium)"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Type Confusion", "cweId": "CWE-843"}]}], "providerMetadata": {"orgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28", "shortName": "Chrome", "dateUpdated": "2026-04-15T19:04:57.982Z"}, "references": [{"url": "https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop_15.html"}, {"url": "https://issues.chromium.org/issues/495751197"}]}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-15T00:00:00+00:00", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3", "id": "CVE-2026-6363"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-16T03:55:45.999Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-6363", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-15T19:38:42.455170Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-15T19:38:53.048Z"}}], "cna": {"affected": [{"vendor": "Google", "product": "Chrome", "versions": [{"status": "affected", "version": "147.0.7727.101", "lessThan": "147.0.7727.101", "versionType": "custom"}]}], "references": [{"url": "https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop_15.html"}, {"url": "https://issues.chromium.org/issues/495751197"}], "descriptions": [{"lang": "en", "value": "Type Confusion in V8 in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to potentially perform out of bounds memory access via a crafted HTML page. (Chromium security severity: Medium)"}], "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-843", "description": "Type Confusion"}]}], "providerMetadata": {"orgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28", "shortName": "Chrome", "dateUpdated": "2026-04-15T19:04:57.982Z"}}}, "cveMetadata": {"cveId": "CVE-2026-6363", "state": "PUBLISHED", "dateUpdated": "2026-04-16T03:55:45.999Z", "dateReserved": "2026-04-15T14:28:38.485Z", "assignerOrgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28", "datePublished": "2026-04-15T19:04:57.982Z", "assignerShortName": "Chrome"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*", "matchCriteriaId": "571DC362-C7E4-4FA4-A493-9DD22A4DACC6", "versionEndExcluding": "147.0.7727.101", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Type Confusion in V8 in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to potentially perform out of bounds memory access via a crafted HTML page. (Chromium security severity: Medium)"}], "id": "CVE-2026-6363", "lastModified": "2026-04-17T19:19:48.317", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-15T20:16:43.690", "references": [{"source": "chrome-cve-admin@google.com", "tags": ["Vendor Advisory"], "url": "https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop_15.html"}, {"source": "chrome-cve-admin@google.com", "tags": ["Issue Tracking", "Permissions Required"], "url": "https://issues.chromium.org/issues/495751197"}], "sourceIdentifier": "chrome-cve-admin@google.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-843"}], "source": "chrome-cve-admin@google.com", "type": "Primary"}]}

{"bugzilla": {"description": "V8: Google Chrome: Chromium: Google Chrome V8: Out-of-bounds memory access via crafted HTML page", "id": "2458800", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2458800"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.8", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-843", "details": ["A flaw was found in V8 in Google Chrome. This type confusion vulnerability allows a remote attacker to potentially perform out-of-bounds memory access by enticing a user to visit a specially crafted HTML page. This could lead to arbitrary code execution or information disclosure."], "name": "CVE-2026-6363", "public_date": "2026-04-15T19:04:57Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-6363\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-6363\nhttps://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop_15.html\nhttps://issues.chromium.org/issues/495751197"], "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,147.0.7727.101)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Chrome", "source": "cna", "vendor": "Google"}, "product": "chrome", "vendor": "google"}], "analysis": {"en": {"generated_at": "2026-04-15T21:57:07.106693+00:00", "value": {"mitigation_remediation": ["Update Chrome to version 147.0.7727.101 or later via the standard update mechanism. ", "Where automatic updates are disabled, install the latest installer directly from Google\u2019s official site or deploy the update through enterprise management tools. ", "For environments that cannot upgrade immediately, restrict execution of untrusted JavaScript by implementing a restrictive Content Security Policy and disabling inline scripts in the browser configuration."], "summary": {"action": "Immediate Patch", "impact": "Out\u2011of\u2011bounds memory access potentially leading to remote exploitation"}, "threat_synthesis": {"affected_systems": "The flaw is present in all versions of Google Chrome before 147.0.7727.101. This includes the stable channel builds shipped to end users, enterprise deployments, and any systems that have not upgraded to the patched release. Any device running an affected Chrome version that processes untrusted Web content is potentially exposed.", "description_and_impact": "V8, the JavaScript engine embedded in Google Chrome, suffered a type\u2011confusion flaw that permitted a maliciously crafted HTML page to trigger a memory corruption error. The vulnerability can lead to out\u2011of\u2011bounds memory access, which in turn could allow an attacker to influence program execution or leak sensitive data. The weakness is a classic type\u2011confusion issue (CWE\u2011843) and the official severity assigned by Chromium is medium.", "risk_and_exploitability": "The CVSS score is 8.8, indicating high severity, reflecting the need for a crafted input delivered over the network but with no known active exploitation. The EPSS score is not available, and the flaw is not listed in CISA\u2019s KEV catalog, suggesting that publicly disclosed exploitation is not yet widespread. Nevertheless, the attack vector is remote and can be carried out through a single malicious HTML page. The risk is therefore high, with the primary mitigation being the application of the patch that appears in the quoted release notes."}}}}, "created": "2026-04-15T21:30:13.803324+00:00", "title": "V8 Type Confusion Leading to Out\u2011of\u2011Bounds Memory Access via Malicious HTML Page", "updated": "2026-04-15T22:00:06.619748+00:00", "vendors": ["google", "google$PRODUCT$chrome"]}