Description
Use after free in Cast in Google Chrome prior to 147.0.7727.138 allowed an attacker on the local network segment to potentially exploit heap corruption via malicious network traffic. (Chromium security severity: High)
Published: 2026-04-28
Score: n/a
EPSS: n/a
KEV: No
Impact: Potential local-network remote code execution through heap corruption
Action: Immediate Update
AI Analysis

Impact

A use‑after‑free bug in the Cast component of Google Chrome allows an attacker on the same local network to send crafted Cast traffic that causes heap corruption. This flaw, identified as CWE‑416, can be leveraged to achieve arbitrary code execution or denial of service. The severity is marked high by Chromium, highlighting the risk.

Affected Systems

Google Chrome browsers, versions before 147.0.7727.138, on the stable channel desktop releases are affected.

Risk and Exploitability

Chromium rates this vulnerability as high. No EPSS score is available and it is not listed in CISA KEV. Exploit requires local‑network proximity to send malicious Cast traffic, but the lack of publicly known exploits suggests a dependency on the attacker’s network position. Nonetheless, arbitrary code execution remains a serious threat, so patching should be prioritized.

Generated by OpenCVE AI on April 29, 2026 at 02:34 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Chrome to version 147.0.7727.138 or later to eliminate the use‑after‑free flaw
  • If the upgrade cannot be applied immediately, restrict the device from receiving local network Cast traffic by configuring the firewall to block UDP ports 32768–65535 or directing Cast traffic through controlled network paths
  • As a temporary measure, disable the Cast feature in Chrome settings or enforce it via group policy to prevent any exploitation while a full update is pending

Generated by OpenCVE AI on April 29, 2026 at 02:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 29 Apr 2026 03:00:00 +0000

Type Values Removed Values Added
Title Use-After-Free in Cast Leading to Local Network Heap Corruption in Google Chrome

Wed, 29 Apr 2026 01:15:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Tue, 28 Apr 2026 23:00:00 +0000

Type Values Removed Values Added
Description Use after free in Cast in Google Chrome prior to 147.0.7727.138 allowed an attacker on the local network segment to potentially exploit heap corruption via malicious network traffic. (Chromium security severity: High)
Weaknesses CWE-416
References

Subscriptions

Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-04-28T22:36:06.870Z

Reserved: 2026-04-28T20:02:34.920Z

Link: CVE-2026-7338

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-28T23:16:21.370

Modified: 2026-04-28T23:16:21.370

Link: CVE-2026-7338

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T02:45:35Z

Weaknesses