{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-7336", "assignerOrgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28", "state": "PUBLISHED", "assignerShortName": "Chrome", "dateReserved": "2026-04-28T20:02:33.914Z", "datePublished": "2026-04-28T22:36:04.498Z", "dateUpdated": "2026-04-28T22:36:04.498Z"}, "containers": {"cna": {"affected": [{"vendor": "Google", "product": "Chrome", "versions": [{"version": "147.0.7727.138", "status": "affected", "lessThan": "147.0.7727.138", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "Use after free in WebRTC in Google Chrome prior to 147.0.7727.138 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Use after free", "cweId": "CWE-416"}]}], "providerMetadata": {"orgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28", "shortName": "Chrome", "dateUpdated": "2026-04-28T22:36:04.498Z"}, "references": [{"url": "https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop_28.html"}, {"url": "https://issues.chromium.org/issues/500767595"}]}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Use after free in WebRTC in Google Chrome prior to 147.0.7727.138 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)"}], "id": "CVE-2026-7336", "lastModified": "2026-04-28T23:16:21.167", "metrics": {}, "published": "2026-04-28T23:16:21.167", "references": [{"source": "chrome-cve-admin@google.com", "url": "https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop_28.html"}, {"source": "chrome-cve-admin@google.com", "url": "https://issues.chromium.org/issues/500767595"}], "sourceIdentifier": "chrome-cve-admin@google.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-416"}], "source": "chrome-cve-admin@google.com", "type": "Primary"}]}

{"bugzilla": {"description": "chromium-browser: Use after free in WebRTC", "id": "2463676", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2463676"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.8", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-825", "details": ["An use after free flaw was found in the WebRTC component of the Chromium browser.\nUpstream bug(s):\nhttps://code.google.com/p/chromium/issues/detail?id=500767595"], "name": "CVE-2026-7336", "public_date": "2026-04-28T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-7336\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-7336\nhttps://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop_28.html\nhttps://issues.chromium.org/issues/500767595"], "statement": "Red Hat Product Security rates the severity of this flaw as determined by the Google Chrome Security Advisory.", "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[147.0.7727.138,147.0.7727.138)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Chrome", "source": "cna", "vendor": "Google"}, "product": "chrome", "vendor": "google"}], "analysis": {"en": {"generated_at": "2026-04-29T01:06:12.108234+00:00", "value": {"mitigation_remediation": ["Update Google Chrome to version 147.0.7727.138 or later. ", "Enable Chrome\u2019s Safe Browsing and Site Isolation features to reduce the impact while no patch is available. ", "Stay alert to additional Chrome security releases and apply them promptly."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "Google Chrome browsers running any version earlier than 147.0.7727.138 are affected. This includes all stable channel releases that precede the security patch supplied in April\u202f2026.", "description_and_impact": "A use\u2011after\u2011free bug exists in the WebRTC implementation of Google Chrome versions prior to 147.0.7727.138. When a crafted HTML page is loaded, the flaw causes the browser to access freed memory inside a sandboxed context, enabling a remote attacker to run arbitrary code with sandboxed privileges. The weakness is classified as CWE\u2011416 and the Chromium project rates the severity as high.", "risk_and_exploitability": "No EPSS score is available and the vulnerability is not listed in the CISA KEV catalog, but the Chromium project has identified it as a high\u2011severity flaw. The likely attack vector is a malicious web page that a user visits or is prompted to open. Exploitation requires the victim to load the crafted page in a Chrome browser, after which arbitrary code can be executed inside the browser\u2019s sandbox."}}}}, "created": "2026-04-29T01:15:44.708276+00:00", "title": "Use After Free in Chrome WebRTC Enabling Remote Code Execution via Crafted HTML", "updated": "2026-04-29T02:00:26.298938+00:00", "vendors": ["google", "google$PRODUCT$chrome"]}