Google disclosed two high-severity Chrome vulnerabilities in WebRTC, tracked as CVE-2026-7336 and CVE-2026-7341, that affect versions prior to 147.0.7727.138. Both bugs are classified as CWE-416 use-after-free issues and can be triggered when a user loads a crafted HTML page, allowing a remote attacker to achieve arbitrary code execution inside the browser sandbox.
The CVE records link the flaws to Chrome release notes and Chromium issue tracker entries, and both were published by Google's Chrome security team before receiving updates with CVSS details. CVE-2026-7336 was assigned a high-severity CVSS v3.1 rating reflecting impacts to confidentiality, integrity, and availability, while CVE-2026-7341 was later updated to clarify that exploitation requires user interaction, correcting an earlier scoring entry while preserving its overall high-impact assessment.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
3 events from the most recent confirmed update back to the earliest known activity.
On April 29, 2026, the CVE-2026-7341 record was modified to change its CVSS v3.1 vector from no user interaction required to user interaction required. The update preserved the overall high-impact assessment and reflected a temporary addition and later removal of the earlier vector entry.
On April 29, 2026, the CVE-2026-7336 record was updated to add CVSS v3.1 scoring information while retaining its classification as a high-severity CWE-416 use-after-free issue. References to the Chrome Releases blog and Chromium issue tracker were included.
On April 28, 2026, CVE-2026-7336 and CVE-2026-7341 were published for use-after-free vulnerabilities in Google Chrome's WebRTC component. The flaws affect Chrome versions prior to 147.0.7727.138 and could allow remote code execution in the browser sandbox via a crafted HTML page.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
2 references tracked. Mallory keeps watching after this page renders.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.