Chrome Skia Out-of-Bounds Read CVE-2026-6364: Patch to 147.0.7727.101

Google has patched a Skia out-of-bounds read in Chrome that maps to CVE-2026-6364, and the fix matters more than the severity label might suggest. The vulnerable builds are Google Chrome prior to 147.0.7727.101, and Google says a crafted file could let a remote attacker extract potentially sensitive information from process memory. Microsoft’s Security Update Guide has also surfaced the issue for its ecosystem, which is a reminder that Chrome vulnerabilities often ripple well beyond the browser itself.

Overview​

The April 2026 Chrome security update arrived with a familiar pattern: a stable-channel release, a large bundle of fixes, and a short but significant note about a memory-safety bug in Skia, Chrome’s 2D graphics library. Google’s release notes say the desktop stable channel moved to 147.0.7727.101/102 on Windows and Mac, and 147.0.7727.101 on Linux, with 31 security fixes in the build. Among them was CVE-2026-6364, classified by Chromium as Medium, but still serious enough to deserve prompt enterprise attention.
The key detail is that this is an out-of-bounds read, not a write. That distinction matters: a read bug is usually less likely to lead directly to code execution, but it can still leak secrets from process memory, including browser state, tokens, and fragments of user data. In a modern browser architecture, where sensitive content is constantly parsed, rendered, cached, and passed between sandboxed and utility processes, a leak can become a bridge to later exploitation.
There is also a wider historical context here. Chrome and Chromium have had repeated memory-safety issues in Skia, and the April 2026 patch follows earlier Skia flaws from the same year, including an out-of-bounds write and an integer overflow that appeared in Chrome’s release stream earlier in 2026. That pattern suggests Skia remains a high-value attack surface because it sits near a large amount of untrusted input: images, fonts, documents, and other crafted assets that browsers must render safely at internet scale.
For Windows users, this matters even when Chrome is not the default browser. Microsoft’s vulnerability guide now tracks Chromium-derived CVEs because they can affect products and workflows that embed browser components or consume browser-adjacent content. That broader ecosystem effect is why a Chrome bug is rarely just a Chrome bug anymore.

---

What Chromium Said​

Google’s own wording is concise but revealing. It says “Out of bounds read in Skia” allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted file, and that the issue is fixed in Chrome prior to 147.0.7727.101. The wording points to an attack path that does not require user authentication, but does require user interaction with malicious content.
That makes the bug less dramatic than a drive-by remote code execution flaw, but not benign. A crafted file can be distributed through email attachments, cloud shares, web pages, messaging platforms, or document portals. If the file reaches a Chromium-based renderer, the browser may load, decode, or inspect the content in ways that expose memory adjacent to the intended buffer.

Why a Read Bug Still Matters​

Security teams sometimes underrate read-only memory bugs because they do not immediately imply takeover. That is a mistake. An information disclosure can defeat protections such as ASLR, reveal heap layout, or expose session data that helps chain into a separate bug. In practice, a “read” bug is often the first half of a more dangerous exploit path.
The Chrome release notes do not say this flaw is exploited in the wild, and that absence is important. Unlike some earlier 2026 Chrome issues where Google explicitly warned of exploitation, this one appears to be a standard patch disclosure rather than an emergency incident response. Still, absence of a public exploit notice is not a reassurance to delay patching.

• A remote attacker can trigger the flaw with a crafted file.
• Sensitive memory disclosure is the main consequence.
• User interaction is likely required, which lowers reach but does not eliminate risk.
• Skia remains a recurring attack surface because of its parsing and rendering role.
• Patch management is the immediate defense, not configuration tuning.

---

Why Skia Is Such a Valuable Target​

Skia is one of those invisible components that users never think about until it fails. It handles graphics, drawing, and rendering tasks that underpin Chrome’s display pipeline, which means it regularly touches complex, attacker-influenced data. That is exactly the kind of code path where a small bounds-checking mistake can produce a security incident.
The problem is not simply that graphics code is complicated. The deeper issue is that rendering stacks combine performance pressure, platform variation, and legacy support, all of which increase the odds of subtle memory errors. When the browser has to process enormous numbers of untrusted inputs at high speed, even a mature library can develop a long tail of exploitable edge cases.

The Attack Surface Problem​

Skia is exposed to more than ordinary “image opening.” It can be involved in document previews, canvas drawing, compositing, font handling, and other content paths that feel mundane to users. That breadth makes it an attractive target for attackers because they can hide malicious data in formats people trust.
It also makes the bug more relevant to enterprise environments than to casual home browsing alone. Enterprises often centralize content ingestion through browsers, portals, and web apps, and those workflows can unintentionally create a high-volume stream of attacker-controlled files. If one parser leaks memory, the impact can extend into account material, cached documents, or process state. That is the sort of low-drama vulnerability that can still have high operational cost.

• Rendering code sees hostile inputs every day.
• Performance-sensitive libraries often sit close to unsafe memory operations.
• File-based delivery widens the attacker’s options beyond the web.
• Enterprise portals can become an accidental distribution channel.
• Defense-in-depth is essential because no single browser layer can catch everything.

---

The Version Story​

The vulnerable threshold is straightforward: Chrome versions before 147.0.7727.101 are affected. Google’s stable-channel announcement says the update rolled out beginning Wednesday, April 15, 2026, and that the corrected builds would arrive over the following days and weeks. That means exposure is not just a binary “patched or unpatched” state; it is often a staged rollout across fleets.
That rollout detail is important in enterprise settings. Administrators may assume a release date automatically means full fleet coverage, but browser updates can lag by policy, bandwidth, local admin restrictions, or deferred maintenance windows. In practice, the vulnerable window can remain open longer than the headline suggests.

How to Interpret the Build Numbers​

For Windows and Mac, Google listed 147.0.7727.101/102; for Linux, 147.0.7727.101. That dual Windows/Mac notation reflects the way Chrome packages stable releases across platforms, and it is a reminder to verify the exact installed build rather than relying on general release channel naming.
In security operations, exact versioning matters more than slogans like “latest Chrome.” Older point releases may appear close to the fixed build but still remain vulnerable, especially in offline or semi-managed devices. Security teams should treat this as a version-specific memory disclosure, not a generic browser advisory.

• Confirm the installed Chrome build on managed endpoints.
• Prioritize any system still below 147.0.7727.101.
• Check whether Chromium-based forks inherit the patched code path.
• Validate that automatic updates actually completed.
• Reboot or relaunch browsers where policy changes require it.

---

Enterprise Impact​

For enterprises, the biggest issue is not only confidentiality but workflow trust. A browser memory disclosure can undermine single sign-on sessions, internal portals, document review systems, and cloud-hosted workspaces that assume the browser is a safe interpreter of files and web content. If an attacker can extract even a little memory from a browser process, the information can be enough to support follow-on phishing or session theft.
Microsoft’s Security Update Guide has long recognized that Chromium vulnerabilities deserve attention in enterprise ecosystems because Chrome code and Chrome-like components are embedded into more than just the consumer browser. Microsoft has explicitly discussed how Chromium CVEs can appear in its own security guidance when browser technology is bundled into other products and experiences. That broadens the patching surface in ways many IT shops still underestimate.

Operational Consequences​

Patch timing becomes especially important when browser updates are part of a larger change-control process. If a fleet is holding on to an older Chrome baseline for compatibility testing, the exposure window may remain open long after the vendor has shipped the fix. In a mixed environment, that can create a split between secure and insecure workers that is hard to see without inventory discipline.
Enterprises should also think about remote work and unmanaged devices. A user who receives a crafted file on a personal laptop and later syncs data back into corporate services can become the weakest link in a much larger chain. The browser is a boundary, but it is not a wall.

• Inventory accuracy is critical for browser vulnerabilities.
• Delayed rollouts can leave shadow exposure on older builds.
• BYOD devices may fall outside central patch enforcement.
• Session data leakage can have downstream identity implications.
• Help desk load may rise if updates are forced across heterogeneous endpoints.

---

Consumer Impact​

For consumers, the practical risk is simpler but still real: a malicious file can be used to probe browser memory, and that exposure can enable fraud, follow-on exploitation, or privacy loss. The attack does not require the kind of advanced persistence that makes headlines; it only needs a believable delivery mechanism and a vulnerable browser build.
The consumer threat model is especially messy because browser updates are often automatic, but not always immediate. A laptop that sleeps through multiple update windows, a device that is rarely restarted, or a browser installed with unusual permissions can stay behind on a vulnerable build. This is why security advisories often feel routine right up until they are not.

What Users Should Assume​

Users should assume that any downloaded or previewed file could be part of the attack chain if it came from an untrusted source. That includes PDFs, image-heavy documents, archives, and files passed through chat or email attachments. The safest assumption is that the browser will eventually touch something hostile.
The good news is that the fix is straightforward. Updating Chrome to 147.0.7727.101 or later closes the specific issue, and users who keep automatic updates enabled are usually protected once the browser has relaunched. The bad news is that people often delay the restart that actually activates the fix.

• Update Chrome promptly.
• Restart the browser after updating.
• Avoid opening unknown attachments.
• Keep operating systems patched too.
• Treat preview panes and auto-open features cautiously.

---

How This Fits Chrome’s 2026 Security Pattern​

CVE-2026-6364 does not appear in isolation. Chrome’s 2026 release stream has already included several high-impact memory bugs, including earlier Skia flaws and a number of issues in adjacent high-risk components like V8, ANGLE, WebRTC, and WebML. That pattern tells us something important: the browser’s attack surface is not shrinking, even when engineering quality improves.
Earlier in March, Google disclosed CVE-2026-3909, an out-of-bounds write in Skia, and stated that an exploit existed in the wild. That is not the same vulnerability, but it is the same subsystem, and it reinforces the idea that Skia is a continuing target. Once a subsystem becomes a known rich vein for bugs, attackers and researchers both tend to spend more time there.

The Difference Between “Patch Volume” and “Patch Urgency”​

A month with many Chromium fixes can create fatigue in patch rooms. But volume should not be mistaken for noise. Large patch batches often mean engineers have accumulated a meaningful set of findings, and the safest operational response is to assume that at least one of them is materially important.
That also means security teams need a triage lens, not a blanket shrug. Memory bugs in rendering paths deserve faster treatment than low-impact UI quirks, especially when the flaw can leak process memory from a widely deployed browser. Not every CVE is equal, but some “Medium” issues are still high-value reconnaissance tools.

• Skia has reappeared in Chrome security notes multiple times in 2026.
• Memory safety remains a dominant source of browser risk.
• Public exploit status can change the operational priority dramatically.
• Patch fatigue is dangerous when it dulls response to recurring components.
• Subsystem clustering often reveals where attackers are focusing.

---

Microsoft’s Tracking Matters​

Microsoft’s presence in this story is not accidental. The company’s Security Update Guide has previously explained that it tracks Chromium CVEs because browser vulnerabilities can affect Microsoft products and supported scenarios, particularly where Chromium technology is embedded or integrated. That makes the MSRC reference to CVE-2026-6364 a useful signal for Windows administrators, not just a duplicate listing.
The fact that Microsoft’s vulnerability page mirrors the Chrome disclosure also shows how quickly browser security issues now propagate across vendor ecosystems. In practical terms, the same flaw may influence Chrome, Edge, documentation workflows, and enterprise support processes all at once. For administrators, that is a reminder to treat browser security as a platform concern rather than a single-app concern.

Why Cross-Vendor Visibility Helps​

Cross-vendor tracking gives defenders better change management and more complete reporting. If one vendor documents the bug in a product family and another vendor surfaces the same issue in its own advisory channel, that redundancy can reduce blind spots in enterprise inventories. It also helps organizations map whether the vulnerability affects only Chrome or a wider set of Chromium-based experiences.
That said, visibility is not the same as remediation. Organizations still have to ensure the affected browser instances are updated, and they need enough asset knowledge to confirm where Chromium code is in use. The advisory is the warning; the inventory is the defense.

• MSRC tracking helps enterprise defenders see Chromium risk in familiar tooling.
• Embedded browser components can widen the blast radius.
• Duplicate advisory paths improve visibility but not automatic remediation.
• Asset inventory remains the real limiter in large environments.
• Cross-platform usage makes browser security a governance issue, not just an endpoint issue.

---

What Makes This Vulnerability Different​

At first glance, CVE-2026-6364 can look routine: a read bug, a browser patch, and a version bump. But routine in browser security often means “the kind of issue that attackers quietly love.” Information disclosure vulnerabilities are attractive because they can be chained, reused, or weaponized in ways that are hard to detect.
What also stands out is that the flaw is tied to a crafted file, not necessarily a live webpage. That widens the phishing and social-engineering surface, because attackers are not restricted to in-browser exploits alone. They can deliver content through channels that users perceive as safer than the open web.

The Chaining Problem​

A leak can reveal heap pointers, process layout, object metadata, or other small fragments of state that make a second bug easier to exploit. In modern browser exploitation, those fragments can matter as much as the primary vulnerability itself. That is why defenders should not wait for a public exploit label before treating a disclosure bug as significant.
The distinction also matters for incident response. If a system shows signs of suspicious file handling in Chrome, analysts should think beyond immediate crash data and consider whether the attacker may have been probing for memory content rather than only trying to crash the browser. The absence of obvious damage is not proof of benign intent.

• File-based delivery broadens attacker options.
• Information leaks often support later exploitation.
• Low-severity labels can still hide high operational value.
• Crash-only thinking may miss the stealthier objectives of attackers.
• Content trust boundaries matter as much as code execution boundaries.

---

Strengths and Opportunities​

This update shows that the Chrome team continues to find and fix memory-safety issues before they become a larger public crisis, and that is a real strength. The browser’s security posture depends on rapid patching, aggressive fuzzing, and fast release cadence, and this release demonstrates that the pipeline is still functioning. It also gives defenders a concrete remediation target with a clear version floor.

• Clear fixed version: Chrome 147.0.7727.101 or later resolves the issue.
• Broad vendor visibility: Microsoft’s tracking increases enterprise awareness.
• Fast release cadence: updates can reach users quickly once installed.
• Strong ecosystem detection: repeated bug discovery suggests active testing and review.
• Actionable patch guidance: the vulnerability has a simple operational remedy.
• Opportunity for hardening: recurring Skia bugs can inform future memory-safe refactoring.

Risks and Concerns​

The main concern is that even a non-exploit-executing vulnerability can still leak enough memory to support broader compromise. Browser memory disclosure remains valuable to attackers because it can lower the cost of exploitation elsewhere, and the file-based trigger makes social engineering easier. The other concern is that fleets may not update as quickly as release notes imply, especially in managed or partially managed environments.

• Memory disclosure can assist exploit chaining.
• File delivery is easier to hide than direct exploitation.
• Patch lag creates real-world exposure beyond the announcement date.
• Skia recurrence suggests a persistent attack surface.
• Mixed browser estates complicate remediation and reporting.
• User behavior remains a weak point because updates often require relaunches.

---

Looking Ahead​

The near-term priority is obvious: make sure Chrome is updated everywhere it runs, and verify that the installed version is at least 147.0.7727.101. But the bigger lesson is that browser security in 2026 is still heavily shaped by memory-safety problems in shared libraries and rendering stacks. As long as those components remain complex and performance-critical, they will continue to attract both researchers and attackers.
Enterprises should also expect more cross-vendor vulnerability tracking like this in the future. The lines between browser, operating system, and app platform continue to blur, which means a single Chromium bug can show up in more than one security feed. That is not duplication for duplication’s sake; it is a sign that browser risk has become a platform-level concern.

• Verify build numbers across managed and unmanaged devices.
• Force browser restarts where updates are staged but not activated.
• Review file ingestion paths that lead into browser rendering.
• Audit Chromium-based applications that may inherit the fix cadence.
• Watch for additional Skia advisories as the subsystem remains a hotspot.

Chrome’s latest Skia bug is not the kind of headline-grabbing emergency that forces instant global panic, but it is exactly the sort of flaw that separates well-run security programs from merely reactive ones. If defenders treat it as a routine update, they may miss the real lesson: modern browser security is a constant contest over tiny memory mistakes with outsized consequences. The safest response is simple, disciplined, and immediate—patch, verify, and assume that small disclosure bugs can still have big downstream value.

---

Source: NVD / Chromium Security Update Guide - Microsoft Security Response Center