Cyber Resilience

CVE-2026-7345

High

Published: 28 April 2026

Published
28 April 2026
Modified
30 April 2026
KEV Added
Patch
CVSS Score v3.1 8.3 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
EPSS Score 0.0024 15.4th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-7345 is a high-severity Improper Input Validation (CWE-20) vulnerability in Google Chrome. Its CVSS base score is 8.3 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 15.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-39 (Process Isolation) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-7345 involves insufficient validation of untrusted input in the Feedback component of Google Chrome prior to version 147.0.7727.138. This vulnerability, tied to CWE-20, affects Chromium-based browsers and carries a CVSS v3.1 base score of 8.3 (High), as published on 2026-04-28.

A remote attacker who has already compromised the renderer process can exploit the flaw using a crafted HTML page to potentially escape the sandbox. The attack vector is network-accessible (AV:N) with high complexity (AC:H), requiring no privileges (PR:N) and user interaction (UI:R), but achieves changed scope (S:C) with high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H).

Mitigation is available via the stable channel update for desktop Chrome, detailed in the Chrome Releases blog at https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop_28.html. Additional technical details are provided in the Chromium issue tracker at https://issues.chromium.org/issues/502248774. Security practitioners should ensure systems update to Chrome 147.0.7727.138 or later.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Insufficient validation of untrusted input in Feedback in Google Chrome prior to 147.0.7727.138 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Vulnerability enables sandbox escape in client browser (Chrome) after renderer compromise via crafted input, facilitating client application exploitation for code execution (T1203) and privilege escalation from sandboxed process (T1068).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-9980Same product: Apple Macos
CVE-2026-3545Same product: Apple Macos
CVE-2026-4451Same product: Apple Macos
CVE-2026-8000Same product: Apple Macos
CVE-2026-9880Same product: Apple Macos
CVE-2026-5915Same product: Apple Macos
CVE-2026-9969Same product: Apple Macos
CVE-2026-9982Same product: Apple Macos
CVE-2026-7916Same product: Apple Macos
CVE-2026-8007Same product: Apple Macos

Affected Assets

google
chrome
≤ 147.0.7727.138

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses the insufficient validation of untrusted input in Chrome's Feedback component by requiring validation of all information inputs to prevent sandbox escape.

prevent

Enforces process isolation to contain compromises within the renderer process, mitigating sandbox escape attempts via crafted HTML pages.

prevent

Requires timely identification, reporting, and correction of flaws like this input validation vulnerability through patching to Chrome 147.0.7727.138 or later.

References