CVE-2026-7352
Published: 28 April 2026
Summary
CVE-2026-7352 is a high-severity Use After Free (CWE-416) vulnerability in Google Chrome. Its CVSS base score is 8.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Drive-by Compromise (T1189); ranked at the 14.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SC-39 (Process Isolation).
Deeper analysis
CVE-2026-7352 is a use-after-free vulnerability (CWE-416) in the Media component of Google Chrome on Android versions prior to 147.0.7727.138. Published on 2026-04-28, it carries a Chromium security severity rating of High and a CVSS v3.1 base score of 8.3 (AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H).
The vulnerability can be exploited by a remote attacker who has already compromised the renderer process, using a crafted HTML page to potentially achieve a sandbox escape. Exploitation requires the victim to interact with the malicious page (UI:R), involves high attack complexity (AC:H), and needs no privileges (PR:N), but enables network-based attacks (AV:N) with scope change (S:C) leading to high impacts on confidentiality, integrity, and availability.
Mitigation is addressed in Chrome for Android version 147.0.7727.138 and later, as noted in the Google Chrome Releases stable channel update blog post at https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop_28.html. Additional technical details are available in the associated Chromium issue tracker at https://issues.chromium.org/issues/499023054. Security practitioners should prioritize updating affected Android Chrome installations.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-26178
Vulnerability details
Use after free in Media in Google Chrome on Android prior to 147.0.7727.138 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The use-after-free in Chrome's Media component on Android enables sandbox escape via crafted HTML page after renderer compromise, directly mapping to drive-by compromise (T1189) through user-visited malicious pages and exploitation for client execution (T1203) to achieve code execution outside the sandbox.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly remediates the use-after-free vulnerability by requiring timely patching of Google Chrome on Android to version 147.0.7727.138 or later.
Provides memory protections such as ASLR and DEP to mitigate unauthorized code execution from use-after-free exploits in the Chrome renderer process.
Enforces process isolation for the Chrome renderer sandbox to limit potential escape attempts triggered by the media component use-after-free.