{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-7361", "assignerOrgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28", "state": "PUBLISHED", "assignerShortName": "Chrome", "dateReserved": "2026-04-28T20:02:49.424Z", "datePublished": "2026-04-28T22:35:53.867Z", "dateUpdated": "2026-04-28T22:35:53.867Z"}, "containers": {"cna": {"affected": [{"vendor": "Google", "product": "Chrome", "versions": [{"version": "147.0.7727.138", "status": "affected", "lessThan": "147.0.7727.138", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "Use after free in iOS in Google Chrome prior to 147.0.7727.138 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Critical)"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Use after free", "cweId": "CWE-416"}]}], "providerMetadata": {"orgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28", "shortName": "Chrome", "dateUpdated": "2026-04-28T22:35:53.867Z"}, "references": [{"url": "https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop_28.html"}, {"url": "https://issues.chromium.org/issues/493221953"}]}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Use after free in iOS in Google Chrome prior to 147.0.7727.138 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Critical)"}], "id": "CVE-2026-7361", "lastModified": "2026-04-28T23:16:23.680", "metrics": {}, "published": "2026-04-28T23:16:23.680", "references": [{"source": "chrome-cve-admin@google.com", "url": "https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop_28.html"}, {"source": "chrome-cve-admin@google.com", "url": "https://issues.chromium.org/issues/493221953"}], "sourceIdentifier": "chrome-cve-admin@google.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-416"}], "source": "chrome-cve-admin@google.com", "type": "Primary"}]}

{"bugzilla": {"description": "chromium-browser: chromium-browser: Use after free in iOS", "id": "2463706", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2463706"}, "csaw": false, "cvss3": {"cvss3_base_score": "9.6", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "status": "draft"}, "details": ["An use after free flaw was found in the iOS component of the Chromium browser.\nUpstream bug(s):\nhttps://code.google.com/p/chromium/issues/detail?id=493221953"], "name": "CVE-2026-7361", "public_date": "2026-04-28T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-7361\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-7361\nhttps://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop_28.html"], "statement": "Red Hat Product Security rates the severity of this flaw as determined by the Google Chrome Security Advisory.", "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[147.0.7727.138,147.0.7727.138)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Chrome", "source": "cna", "vendor": "Google"}, "product": "chrome", "vendor": "google"}], "analysis": {"en": {"generated_at": "2026-04-29T01:12:54.569823+00:00", "value": {"mitigation_remediation": ["Upgrade Google Chrome on iOS to version 147.0.7727.138 or newer.", "Disable or restrict the execution of untrusted HTML content, for example by using content\u2011security\u2011policy settings or extensions that block external scripts, as a temporary measure.", "Configure the iOS device to automatically install the latest Chrome updates and verify that the app\u2019s update setting is enabled."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "Google Chrome on iOS is affected. All releases before version 147.0.7727.138 contain the flaw, so users running those builds are exposed.", "description_and_impact": "A use\u2011after\u2011free flaw in Google Chrome for iOS enables a remote attacker to trigger heap corruption through a specially crafted HTML page. The vulnerability can lead to arbitrary memory reads or writes, which may ultimately allow arbitrary code execution on the device. The weakness is classified as CWE-416, a memory management error involving out\u2011of\u2011bounds access.", "risk_and_exploitability": "No CVSS or EPSS score is available and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is inferred to be a malicious HTML page loaded within the browser, requiring no authentication or local privilege escalation. Because Chromium assigned a critical severity, the risk remains high until the patch is applied."}}}}, "created": "2026-04-29T00:45:25.883736+00:00", "updated": "2026-04-29T01:15:44.715486+00:00", "vendors": ["google", "google$PRODUCT$chrome"]}