Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to vulnerabilities
High

Type Confusion in V8 in Google Chrome

IdentifiersCVE-2026-6363CWE-843· Access of Resource Using…

CVE-2026-6363 is a type confusion vulnerability in the V8 JavaScript engine used by Google Chrome. In Chrome versions prior to 147.0.7727.101, a remote attacker can trigger out-of-bounds memory access by causing a target to load a crafted HTML page containing malicious JavaScript. Based on the available supporting content, the flaw is associated with incorrect type assumptions in V8's feedback-driven optimization pipeline, where optimized code may later process an object using an incompatible memory layout. This can cause field accesses at incorrect offsets in the renderer process, resulting in out-of-bounds reads or writes and broader memory corruption conditions. Chromium rated the issue Medium severity.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation can cause out-of-bounds memory access in the Chrome renderer process, leading to process crashes, information disclosure, and memory corruption. The supporting content indicates the bug may enable out-of-bounds reads and writes and could potentially be chained toward arbitrary code execution within the renderer sandbox. CVSS v3.1 was assessed as AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, reflecting potentially high confidentiality, integrity, and availability impact if exploited.

Mitigation

If you can’t patch tonight, do this now.

Until patching is complete, reduce exposure by limiting access to untrusted websites and minimizing the chance that users can be lured to attacker-controlled pages. Apply browser hardening and enterprise web filtering controls to block known malicious or suspicious sites, and restrict use of outdated Chrome or Chromium-based builds. Because exploitation requires user interaction with crafted web content, phishing-resistant controls and user exposure reduction can lower risk, but updating to a fixed version is the primary mitigation.

Remediation

Patch, then assume compromise.

Update Google Chrome to version 147.0.7727.101 or later. The fix was released in Chrome Stable on April 15, 2026, as version 147.0.7727.101 for Linux and 147.0.7727.101/.102 for Windows and Mac. Chromium-based browsers that bundle the affected V8 version should also be updated to a vendor release containing the fix. Enterprise administrators should enforce browser updates through their standard update management mechanisms, including the Google Admin console where applicable.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
GoogleChromeapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

6 SOURCESView more in app
cvefeed high severityNews
Apr 15, 2026
CVE-2026-6363 - Google Chrome V8 Type Confusion Memory Access

A type confusion vulnerability in the V8 engine of Google Chrome that could allow a remote attacker to potentially trigger out-of-bounds memory access via a crafted HTML page.

Read more
chrome releases blogNews
Apr 15, 2026
Chrome Releases: Stable Channel Update for Desktop

A medium-severity type confusion vulnerability in V8 in Google Chrome.

Read more
zeropath blogNews
Apr 15, 2026
Google Chrome CVE-2026-6363: Brief Summary of a V8 Type Confusion Leading to Out of Bounds Memory Access - ZeroPath Blog | ZeroPath

A type confusion vulnerability in Google Chrome's V8 JavaScript engine that can lead to out-of-bounds memory access when a user visits a crafted web page, with potential for information disclosure, memory corruption, and possible arbitrary code execution within the renderer sandbox.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity2

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2026-6363
NVD
nvd.nist.gov/vuln/detail/CVE-2026-6363
MITRE CWE · CWE-843
Access of Resource Using Incompatible Type…
Vendor Advisory
chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop_15.html
Issue Tracking
issues.chromium.org/issues/495751197