Google Chrome addressed three use-after-free vulnerabilities tracked as CVE-2026-7347, CVE-2026-7363, and CVE-2026-7344 in versions prior to 147.0.7727.138. The bugs affect the Chromoting, Canvas, and Accessibility components, respectively, and all were classified under CWE-416. Two of the flaws were rated critical: CVE-2026-7363 allows a remote attacker to execute arbitrary code inside the browser sandbox on Linux and ChromeOS by luring a user to a crafted HTML page, while CVE-2026-7344 could let an attacker escape Chrome's sandbox on Windows after compromising the renderer process via crafted web content.
The third issue, CVE-2026-7347, was rated high severity and affects Chromoting, where malicious network traffic could enable arbitrary code execution without privileges or user interaction. CVSS data added to the records shows network-based exploitation with high impact to confidentiality, integrity, and availability, with CVE-2026-7363 and CVE-2026-7344 carrying the vector AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. The vulnerabilities were documented in Chrome and Chromium tracking references, underscoring the need for organizations to move affected browsers to 147.0.7727.138 or later.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
3 events from the most recent confirmed update back to the earliest known activity.
On April 29, 2026, the CVE records were updated to add CVSS v3.1 scoring details. The added vectors described network-reachable attack paths and high confidentiality, integrity, and availability impact, with user interaction required for the Canvas and Accessibility flaws but not for the Chromoting issue.
The disclosed CVE entries state that affected versions are those prior to Chrome 147.0.7727.138, indicating that this version contains fixes for the three flaws. The issues include a high-severity Chromoting remote code execution bug and critical Canvas and Accessibility use-after-free vulnerabilities.
On April 28, 2026, Google received CVE records for CVE-2026-7347, CVE-2026-7363, and CVE-2026-7344. The vulnerabilities affect Chrome prior to 147.0.7727.138 and involve use-after-free issues in Chromoting, Canvas, and Accessibility on Windows, with potential remote code execution or sandbox escape impact.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
3 references tracked. Mallory keeps watching after this page renders.
cvefeed.io
Open sourcecvefeed.io
Open sourcecvefeed.io
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.