Description
Use after free in Codecs in Google Chrome prior to 147.0.7727.138 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Published: 2026-04-28
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A use‑after‑free bug exists in the media codec component of Google Chrome before version 147.0.7727.138. When a crafted HTML page is rendered, the bug causes a memory region that has already been freed to be accessed again, enabling an attacker to run code inside the browser’s sandboxed renderer process. The vulnerability allows the execution of arbitrary code, presenting a high‑severity risk for affected browsers. It is identified as CWE‑416 (Use‑After‑Free) and CWE‑825 (Memory Corruption), and carries a CVSS score of 8.8.

Affected Systems

The flaw affects all Google Chrome installations on supported platforms—desktop, mobile, and web—where the version is older than 147.0.7727.138. Any stable channel build of Chrome that predates this release is vulnerable.

Risk and Exploitability

The issue is rated as high severity by Chromium security. An attacker who can supply a tailored web page can trigger the use‑after‑free from any remote location without the need for local credentials. The EPSS score of < 1% indicates that the probability of exploitation is low but not zero, and the vulnerability is not listed in the CISA KEV catalog. The attacker can execute arbitrary sandboxed code, which could be used for further attacks from within the confined renderer process. The CVSS score of 8.8 confirms a high‑severity risk.

Generated by OpenCVE AI on April 29, 2026 at 17:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Google Chrome to version 147.0.7727.138 or newer, which contains the patch for the Use‑After‑Free (CWE‑416) bug in the codec module.
  • If an immediate update is not possible, temporarily disable the affected codec processing via browser flags or group‑policy setting to mitigate the vulnerability until the patch can be applied.
  • Keep automatic updates enabled and monitor Chrome release notes for subsequent security updates addressing memory corruption (CWE‑825).

Generated by OpenCVE AI on April 29, 2026 at 17:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6239-1 chromium security update
History

Thu, 30 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows
CPEs cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows

Wed, 29 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 29 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
Title Use-After-Free in Chrome Codecs Enables Remote RCE chromium-browser: Use after free in Codecs
Weaknesses CWE-825
References
Metrics threat_severity

None

 cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

threat_severity

Important

Wed, 29 Apr 2026 03:00:00 +0000

Type Values Removed Values Added
Title Use-After-Free in Chrome Codecs Enables Remote RCE

Wed, 29 Apr 2026 00:45:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Tue, 28 Apr 2026 23:00:00 +0000

Type Values Removed Values Added
Description Use after free in Codecs in Google Chrome prior to 147.0.7727.138 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Weaknesses CWE-416
References

Subscriptions

Apple Macos
Google Chrome
Linux Linux Kernel
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-05-01T03:55:44.492Z

Reserved: 2026-04-28T20:02:41.233Z

Link: CVE-2026-7348

cve-icon Vulnrichment

Updated: 2026-04-29T13:10:34.317Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-28T23:16:22.377

Modified: 2026-04-30T18:27:23.530

Link: CVE-2026-7348

cve-icon Redhat

Severity : Important

Publid Date: 2026-04-28T00:00:00Z

Links: CVE-2026-7348 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T17:15:16Z

Weaknesses