Description
Use after free in DevTools in Google Chrome prior to 147.0.7727.117 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
Published: 2026-04-23
Score: 9.6 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Sandbox escape potentially leading to remote code execution
Action: Immediate Patch
AI Analysis

Impact

A use‑after‑free flaw in Chrome’s DevTools permits a remote attacker who has already compromised the renderer process to craft a malicious HTML page that can trigger a sandbox escape. This vulnerability enables the attacker to break out of the renderer sandbox and potentially execute arbitrary code with host system privileges. The flaw is classified as high severity with a CVSS score of 9.6 and is identified as CWE‑416.

Affected Systems

Google Chrome versions earlier than 147.0.7727.117 are affected. The flaw applies to all platforms where Chrome is installed, including Windows, macOS, Linux, and mobile devices running Android. Any system running a vulnerable Chrome build is susceptible if an attacker can supply a crafted HTML page to the user’s browser.

Risk and Exploitability

The vulnerability carries a CVSS score of 9.6, indicating a high exploitation risk, while the EPSS score is below 1 %, suggesting a relatively low current exploitation probability. The flaw is not listed in the CISA KEV catalog. The attack vector is inferred to be remote, relying on a crafted HTML page that a user may view in Chrome. Once the attacker delivers the malicious content and compromises the renderer, the use‑after‑free can be leveraged to escape the sandbox. Successful exploitation would grant the attacker significant privileges, potentially enabling full system compromise.

Generated by OpenCVE AI on April 28, 2026 at 14:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Google Chrome to version 147.0.7727.117 or later to apply the use‑after‑free fix.
  • If an upgrade is not feasible, disable or restrict DevTools usage when loading untrusted content.
  • Regularly keep Chrome installations up to date and monitor for exploitation attempts.

Generated by OpenCVE AI on April 28, 2026 at 14:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6230-1 chromium security update
History

Tue, 28 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
Title Google Chrome: Chromium: chromium-browser: Use after free in DevTools
Weaknesses CWE-825
References
Metrics threat_severity

None

 threat_severity

Important

Fri, 24 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google android
Google chrome
Linux
Linux linux Kernel
Microsoft
Microsoft windows
CPEs cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
cpe:2.3:o:google:android:-:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Google
Google android
Google chrome
Linux
Linux linux Kernel
Microsoft
Microsoft windows

Fri, 24 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 23 Apr 2026 17:30:00 +0000

Type Values Removed Values Added
Description Use after free in DevTools in Google Chrome prior to 147.0.7727.117 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
Weaknesses CWE-416
References

Subscriptions

Google Android Chrome
Linux Linux Kernel
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-04-24T13:37:36.823Z

Reserved: 2026-04-23T16:11:29.677Z

Link: CVE-2026-6919

cve-icon Vulnrichment

Updated: 2026-04-24T13:37:33.518Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-23T18:16:30.520

Modified: 2026-04-24T16:39:50.947

Link: CVE-2026-6919

cve-icon Redhat

Severity : Important

Publid Date: 2026-04-23T16:12:22Z

Links: CVE-2026-6919 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T15:00:14Z

Weaknesses