Description
Use after free in WebRTC in Google Chrome prior to 147.0.7727.138 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Published: 2026-04-28
Score: 8.8 High
EPSS: n/a
KEV: No
Impact: Remote Code Execution via use-after-free in WebRTC
Action: Immediate Patch
AI Analysis

Impact

A use-after-free flaw in Google Chrome’s WebRTC component allows a remote attacker to run arbitrary code inside the browser’s sandbox when a victim opens a specially crafted HTML page. Due to improper memory handling, the attacker can abuse the freed object to execute malicious instructions, compromising confidentiality, integrity, and potentially enabling privilege escalation within the browser if the sandbox is broken. The vulnerability is identified as CWE-416 and carries a high severity rating from Chromium’s security team.

Affected Systems

The flaw affects all Google Chrome releases prior to version 147.0.7727.138. Users running these earlier versions are susceptible, regardless of operating system, as the issue resides in the core WebRTC implementation bundled with the browser. Updated releases of Chrome starting with 147.0.7727.138 contain the necessary patch.

Risk and Exploitability

The EPSS score is not available and the vulnerability is not listed on the CISA KEV, but the high severity and the ability to trigger it via a remote HTML payload make the risk substantial. An attacker can embed malicious code in a web page that will be served to users who browse the site, executing the exploit without any interaction beyond page load. The primary attack vector is remote, through malicious or compromised websites that deliver the crafted payload to a vulnerable Chrome user.

Generated by OpenCVE AI on April 29, 2026 at 02:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Google Chrome to version 147.0.7727.138 or later.
  • If an immediate browser update is not possible, disable WebRTC by navigating to chrome://flags and setting "Turn off WebRTC" or "WebRTC IP handling policy" to "Disable".
  • Add content‑security‑policy restrictions to prevent execution of untrusted scripts from untrusted domains.

Generated by OpenCVE AI on April 29, 2026 at 02:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 29 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
Title Use-After-Free in Chrome WebRTC Enabling Remote Code Execution chromium-browser: Use after free in WebRTC
Weaknesses CWE-825
References
Metrics threat_severity

None

 cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

threat_severity

Important

Wed, 29 Apr 2026 02:30:00 +0000

Type Values Removed Values Added
Title Use-After-Free in Chrome WebRTC Enabling Remote Code Execution

Wed, 29 Apr 2026 00:45:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Tue, 28 Apr 2026 23:00:00 +0000

Type Values Removed Values Added
Description Use after free in WebRTC in Google Chrome prior to 147.0.7727.138 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Weaknesses CWE-416
References

Subscriptions

Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-04-28T22:36:07.714Z

Reserved: 2026-04-28T20:02:37.079Z

Link: CVE-2026-7341

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-28T23:16:21.690

Modified: 2026-04-28T23:16:21.690

Link: CVE-2026-7341

cve-icon Redhat

Severity : Important

Publid Date: 2026-04-28T00:00:00Z

Links: CVE-2026-7341 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T02:15:47Z

Weaknesses