{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-7356", "assignerOrgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28", "state": "PUBLISHED", "assignerShortName": "Chrome", "dateReserved": "2026-04-28T20:02:46.361Z", "datePublished": "2026-04-28T22:35:57.933Z", "dateUpdated": "2026-04-28T22:35:57.933Z"}, "containers": {"cna": {"affected": [{"vendor": "Google", "product": "Chrome", "versions": [{"version": "147.0.7727.138", "status": "affected", "lessThan": "147.0.7727.138", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "Use after free in Navigation in Google Chrome prior to 147.0.7727.138 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: High)"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Use after free", "cweId": "CWE-416"}]}], "providerMetadata": {"orgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28", "shortName": "Chrome", "dateUpdated": "2026-04-28T22:35:57.933Z"}, "references": [{"url": "https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop_28.html"}, {"url": "https://issues.chromium.org/issues/497769116"}]}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Use after free in Navigation in Google Chrome prior to 147.0.7727.138 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: High)"}], "id": "CVE-2026-7356", "lastModified": "2026-04-28T23:16:23.163", "metrics": {}, "published": "2026-04-28T23:16:23.163", "references": [{"source": "chrome-cve-admin@google.com", "url": "https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop_28.html"}, {"source": "chrome-cve-admin@google.com", "url": "https://issues.chromium.org/issues/497769116"}], "sourceIdentifier": "chrome-cve-admin@google.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-416"}], "source": "chrome-cve-admin@google.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,147.0.7727.138)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Chrome", "source": "cna", "vendor": "Google"}, "product": "chrome", "vendor": "google"}], "analysis": {"en": {"generated_at": "2026-04-29T01:09:17.504742+00:00", "value": {"mitigation_remediation": ["Upgrade Google Chrome to version 147.0.7727.138 or later.", "If an update cannot be applied immediately, block or remove the use\u2011of\u2011remote HTML content that might trigger navigation from untrusted sources.", "Implement site\u2011level restrictions or content security policies that limit the execution of untrusted scripts until a patch is available."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "All users of Google Chrome running any release before 147.0.7727.138 are affected. The vulnerability exists in the core navigation stack used by the browser to load web pages, and no specific operating system or architecture limitation is reported.", "description_and_impact": "A use\u2011after\u2011free flaw located in the Navigation component of Google Chrome versions prior to 147.0.7727.138 allows an attacker to execute arbitrary code by serving a malicious HTML page. The weakness permits arbitrary memory access, enabling a remote attacker to compromise the confidentiality, integrity, and availability of the system by running code with the privileges of the Chrome process.", "risk_and_exploitability": "The event is a high\u2011severity flaw that can be triggered when a user opens or renders a crafted HTML document. No publicly available exploit code is listed, and the EPSS score is not yet available, but the absence from CISA\u2019s KEV catalog does not diminish the potential for widespread exploitation. Attackers can achieve remote code execution simply by hosting the malicious page and enticing a victim to visit it, making the vulnerability highly actionable and presenting a significant risk to all affected users."}}}}, "created": "2026-04-29T01:15:44.710468+00:00", "title": "Use-After-Free in Chrome Navigation Enables Remote Code Execution via Malicious Web Page", "updated": "2026-04-29T01:30:05.927467+00:00", "vendors": ["google", "google$PRODUCT$chrome"]}