Description
Use after free in media in Google Chrome prior to 147.0.7727.138 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Published: 2026-04-28
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A use‑after‑free flaw in Chrome’s media subsystem allows a remote attacker to execute arbitrary code within the browser’s sandbox via a specially crafted HTML page. The vulnerability can be exploited to run code inside the sandboxed environment.

Affected Systems

All installations of Google Chrome versions earlier than 147.0.7727.138 are affected. The issue is limited to the media handling components and does not require elevated privileges beyond the normal browser user context.

Risk and Exploitability

The flaw carries a CVSS score of 8.8, indicating high severity, and facilitates code execution within a sandboxed environment. An EPSS score of 0.00038 (below 1%) indicates a very low probability of exploitation, and the vulnerability is not listed in CISA’s KEV catalog. Exploitation likely requires the user to load a malicious webpage, making social engineering a prerequisite. Given the lack of public exploitation evidence and the absence of a KEV listing, the immediate risk remains moderate to high for actively browsing users.

Generated by OpenCVE AI on April 29, 2026 at 21:33 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Google Chrome to version 147.0.7727.138 or newer
  • Configure Chrome to block or disable media playback for untrusted content, if possible
  • Keep the browser’s auto‑update feature enabled to receive future security patches promptly

Generated by OpenCVE AI on April 29, 2026 at 21:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 29 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 29 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
Title Use After Free in Chrome Media Allowing Remote Code Execution chromium-browser: Use after free in media
Weaknesses CWE-825
References
Metrics threat_severity

None

 cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

threat_severity

Important

Wed, 29 Apr 2026 02:30:00 +0000

Type Values Removed Values Added
Title Use After Free in Chrome Media Allowing Remote Code Execution

Wed, 29 Apr 2026 01:45:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Tue, 28 Apr 2026 23:00:00 +0000

Type Values Removed Values Added
Description Use after free in media in Google Chrome prior to 147.0.7727.138 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Weaknesses CWE-416
References

Subscriptions

Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-04-30T03:55:29.994Z

Reserved: 2026-04-28T20:02:33.559Z

Link: CVE-2026-7335

cve-icon Vulnrichment

Updated: 2026-04-29T13:09:46.822Z

cve-icon NVD

Status : Received

Published: 2026-04-28T23:16:21.067

Modified: 2026-04-29T14:16:20.630

Link: CVE-2026-7335

cve-icon Redhat

Severity : Important

Publid Date: 2026-04-28T00:00:00Z

Links: CVE-2026-7335 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T21:45:20Z

Weaknesses