CVE-2026-7354
Published: 28 April 2026
Summary
CVE-2026-7354 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Google Chrome. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Drive-by Compromise (T1189); ranked at the 7.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SC-39 (Process Isolation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates CVE-2026-7354 by requiring timely installation of the Chrome patch to version 147.0.7727.138 that remediates the out-of-bounds read/write vulnerability in Angle.
Addresses memory corruption aspects of the out-of-bounds read/write vulnerability through mechanisms like address space layout randomization and stack guards to hinder exploitation.
Mitigates impact of potential sandbox escape from the Angle flaw by enforcing process isolation in the browser renderer to contain exploitation within domains.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is a memory corruption flaw in Chrome's graphics layer exploitable via a crafted HTML page, directly enabling drive-by compromise (T1189), client-side code execution (T1203), and sandbox escape for privilege escalation (T1068).
NVD Description
Out of bounds read and write in Angle in Google Chrome prior to 147.0.7727.138 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
Deeper analysisAI
CVE-2026-7354 is an out-of-bounds read and write vulnerability (CWE-125, CWE-787) in the Angle graphics component within Google Chrome prior to version 147.0.7727.138. Angle serves as the OpenGL ES implementation layer in Chromium-based browsers, and this flaw was publicly disclosed on 2026-04-28 with a Chromium security severity rating of High and a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).
A remote attacker can exploit this vulnerability by enticing a user to interact with a crafted HTML page, potentially leading to a sandbox escape. The attack requires user interaction, such as visiting a malicious site, but no special privileges, enabling high-impact effects on confidentiality, integrity, and availability within the browser's sandboxed environment.
Google addressed this issue in the stable channel update for Chrome desktop, released as version 147.0.7727.138, as announced at https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop_28.html. Further technical details are documented in the Chromium issue tracker at https://issues.chromium.org/issues/498746519. Security practitioners should prioritize updating affected Chrome installations to mitigate exploitation risk.
Details
- CWE(s)