Description
Use after free in iOS in Google Chrome prior to 147.0.7727.138 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Critical)
Published: 2026-04-28
Score: 9.6 Critical
EPSS: n/a
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

A use‑after‑free flaw in Google Chrome for iOS enables a remote attacker to trigger heap corruption through a specially crafted HTML page. The vulnerability can lead to arbitrary memory reads or writes, which may ultimately allow arbitrary code execution on the device. The weakness is classified as CWE-416, a memory management error involving out‑of‑bounds access.

Affected Systems

Google Chrome on iOS is affected. All releases before version 147.0.7727.138 contain the flaw, so users running those builds are exposed.

Risk and Exploitability

No CVSS or EPSS score is available and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is inferred to be a malicious HTML page loaded within the browser, requiring no authentication or local privilege escalation. Because Chromium assigned a critical severity, the risk remains high until the patch is applied.

Generated by OpenCVE AI on April 29, 2026 at 01:12 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Google Chrome on iOS to version 147.0.7727.138 or newer.
  • Disable or restrict the execution of untrusted HTML content, for example by using content‑security‑policy settings or extensions that block external scripts, as a temporary measure.
  • Configure the iOS device to automatically install the latest Chrome updates and verify that the app’s update setting is enabled.

Generated by OpenCVE AI on April 29, 2026 at 01:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 29 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
Title chromium-browser: chromium-browser: Use after free in iOS
References
Metrics threat_severity

None

 cvssV3_1

{'score': 9.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H'}

threat_severity

Important

Wed, 29 Apr 2026 01:00:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Tue, 28 Apr 2026 23:00:00 +0000

Type Values Removed Values Added
Description Use after free in iOS in Google Chrome prior to 147.0.7727.138 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Critical)
Weaknesses CWE-416
References

Subscriptions

Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-04-28T22:35:53.867Z

Reserved: 2026-04-28T20:02:49.424Z

Link: CVE-2026-7361

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-28T23:16:23.680

Modified: 2026-04-28T23:16:23.680

Link: CVE-2026-7361

cve-icon Redhat

Severity : Important

Publid Date: 2026-04-28T00:00:00Z

Links: CVE-2026-7361 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T01:15:44Z

Weaknesses