CVE-2026-7353
Published: 28 April 2026
Summary
CVE-2026-7353 is a high-severity Heap-based Buffer Overflow (CWE-122) vulnerability in Google Chrome. Its CVSS base score is 8.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 6.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-39 (Process Isolation) and SI-16 (Memory Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mandates timely remediation of flaws like the Skia heap buffer overflow through patching to Chrome 147.0.7727.138.
Implements memory protections such as address space layout randomization and data execution prevention to mitigate heap buffer overflow exploitation.
Enforces process isolation in the renderer sandbox to block potential escapes even if the renderer process is compromised.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Heap buffer overflow in Chrome renderer enables client-side code execution via crafted HTML (T1203) and sandbox escape for privilege escalation (T1068).
NVD Description
Heap buffer overflow in Skia in Google Chrome prior to 147.0.7727.138 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
Deeper analysisAI
CVE-2026-7353 is a heap buffer overflow vulnerability (CWE-122) in the Skia graphics library used by Google Chrome versions prior to 147.0.7727.138. This flaw affects the renderer process within Chrome, enabling potential exploitation through malformed inputs. The vulnerability carries a CVSS v3.1 base score of 8.3 (AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H) and is rated High severity by Chromium security standards. It was published on 2026-04-28.
A remote attacker who has already compromised the Chrome renderer process could exploit this vulnerability via a crafted HTML page, potentially achieving a sandbox escape. Exploitation requires user interaction, such as visiting a malicious site, and involves high attack complexity. Successful exploitation could grant elevated privileges, leading to high impacts on confidentiality, integrity, and availability due to the changed scope.
Chrome's stable channel update advisory at https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop_28.html details the patch in version 147.0.7727.138. Additional technical details are available in the Chromium issue tracker at https://issues.chromium.org/issues/498809718. Security practitioners should prioritize updating affected Chrome installations to mitigate this issue.
Details
- CWE(s)