CVE-2026-7346
Published: 28 April 2026
Summary
CVE-2026-7346 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Google Chrome. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Drive-by Compromise (T1189); ranked at the 8.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely identification, reporting, and patching of system flaws, directly addressing the need to update Google Chrome to version 147.0.7727.138 or later to remediate the out-of-bounds memory access vulnerability.
Implements memory protection mechanisms like bounds checking and isolation that directly prevent unauthorized out-of-bounds memory access exploited by the crafted HTML page.
Deploys malicious code protection mechanisms to scan and block execution of crafted HTML pages attempting to exploit the Tint component vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE describes a remote memory corruption vulnerability in Chrome triggered by a crafted HTML page on a malicious website, directly enabling drive-by compromise (T1189) and exploitation for client execution (T1203) via user interaction with no privileges required.
NVD Description
Inappropriate implementation in Tint in Google Chrome prior to 147.0.7727.138 allowed a remote attacker to perform out of bounds memory access via a crafted HTML page. (Chromium security severity: High)
Deeper analysisAI
CVE-2026-7346 stems from an inappropriate implementation in the Tint component of Google Chrome prior to version 147.0.7727.138. This flaw enables a remote attacker to trigger out-of-bounds memory access through a crafted HTML page. The vulnerability aligns with CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) and carries a Chromium security severity rating of High, with a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N).
A remote attacker without privileges can exploit this issue by luring a user to interact with a malicious website hosting the crafted HTML page, requiring low attack complexity but user participation such as visiting or rendering the page. Exploitation grants high confidentiality and integrity impacts, potentially allowing unauthorized memory reads or writes, while availability remains unaffected.
Mitigation is provided via the Google Chrome stable channel update to version 147.0.7727.138 or later, as detailed in the Chrome Releases blog at https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop_28.html and the Chromium issue tracker at https://issues.chromium.org/issues/502206907. Security practitioners should prioritize browser updates to affected systems.
Details
- CWE(s)