CVE-2026-7343

High

Published: 28 April 2026

Published

28 April 2026

Modified

30 April 2026

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Score 0.0007 22.0th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-7343 is a high-severity Use After Free (CWE-416) vulnerability in Google Chrome. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 22.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SC-39 (Process Isolation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Privilege Escalation (T1068). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Requires timely remediation of flaws, directly addressing the use-after-free vulnerability patched in Chrome version 147.0.7727.138.

SI-16 Memory Protection partial match

prevent

Implements memory protection mechanisms that mitigate exploitation of use-after-free errors in the renderer process.

SC-39 Process Isolation partial match

prevent

Enforces process isolation to limit the impact of sandbox escapes from a compromised renderer process.

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

Why these techniques?

Use-after-free in Chrome renderer enables sandbox escape after initial renderer compromise, directly mapping to exploitation for privilege escalation.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Use after free in Views in Google Chrome on Windows prior to 147.0.7727.138 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)

Deeper analysisAI

CVE-2026-7343 is a use-after-free vulnerability (CWE-416) in the Views component of Google Chrome on Windows, affecting versions prior to 147.0.7727.138. Published on 2026-04-28, this critical Chromium security issue carries a CVSS v3.1 base score of 7.5 (AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H).

A remote attacker who has already compromised the renderer process can exploit the vulnerability via a crafted HTML page to potentially achieve a sandbox escape. The attack vector requires network access with high complexity, no privileges, and user interaction, leading to high impacts on confidentiality, integrity, and availability within unchanged scope.

Mitigation is available in Google Chrome version 147.0.7727.138 and later. Advisories detail the patch in the Chrome Releases stable channel update at https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop_28.html and the associated Chromium issue at https://issues.chromium.org/issues/503645680.

Details

CWE(s): CWE-416

Affected Products

google

chrome

≤ 147.0.7727.138

CVEs Like This One

CVE-2026-4456Same product: Apple Macos

CVE-2026-6310Same product: Apple Macos

CVE-2026-6304Same product: Apple Macos

CVE-2026-4676Same product: Apple Macos

CVE-2026-6309Same product: Apple Macos

CVE-2026-5288Same product: Apple Macos

CVE-2026-5289Same product: Apple Macos

CVE-2026-5290Same product: Apple Macos

CVE-2026-5874Same product: Apple Macos

CVE-2026-6297Same product: Apple Macos

References

https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop_28.html
Vendor Advisory · chrome-cve-admin@google.com
https://issues.chromium.org/issues/503645680
Permissions Required · chrome-cve-admin@google.com