Chrome use-after-free RCE via Prerender (CVE-2026-6299)

Overview

A critical memory corruption vulnerability, identified as CVE-2026-6299, has been patched in Google Chrome. This flaw exists in the browser’s Prerender component, a feature that loads pages in the background to speed up navigation. The vulnerability is rated with a high severity CVSS score of 8.8.

Vulnerability Details

The vulnerability is a use-after-free (UAF) bug within Chrome’s Prerender implementation. This type of memory safety issue occurs when a program continues to use a pointer to a memory location after it has been freed, which can corrupt valid data or executable code. In this case, a remote attacker could exploit this flaw by crafting a malicious HTML page. When a user visits this page, the attacker could potentially gain the ability to execute arbitrary code on the victim’s system.

Impact and Attack Vector

The impact of successful exploitation is severe, leading to remote code execution (RCE) within the context of the Chrome browser. This could allow an attacker to install malware, steal sensitive data, or take other malicious actions on the compromised machine. The attack vector is network-based, requiring low attack complexity and no user privileges. However, exploitation does require user interaction, such as visiting a malicious website.

Remediation and Mitigation

The primary and most effective remediation is to update Google Chrome immediately. Google has addressed this vulnerability in version 147.0.7727.101 and later. Chrome updates automatically by default, but users and administrators should verify their browsers are up to date.

To update Chrome:

1. Click the three-dot menu in the top-right corner.
2. Navigate to Help > About Google Chrome.
3. The browser will check for and install any available update. Ensure the version is 147.0.7727.101 or higher.
4. Relaunch the browser to complete the update.

Until the patch is applied, exercise caution when browsing and avoid clicking on links from untrusted sources. Enterprise administrators should ensure the update is deployed across their managed browser fleet.

Security Insight

This vulnerability underscores the persistent challenge of memory safety in large, complex codebases like browser engines, even in components designed for performance optimization like Prerender. It follows a pattern seen in other high-severity browser flaws, such as those previously exploited in Chrome’s V8 and Skia components. While not currently confirmed as actively exploited, its critical nature makes it a prime target, highlighting the critical importance of rapid patch deployment in the face of potent client-side attack vectors.

Further Reading

• Google Adds 24-Hour Wait for Unverified App Sideloading
• DarkSword iOS Exploit Kit Uses 6 Flaws, 3 Zero-Days for
• Google Fixes Two Chrome Zero-Days Exploited in the Wild
• All High Vulnerabilities
• Recent Critical Vulnerabilities
• Top Critical CVEs