CVE-2026-7356
Published: 28 April 2026
Summary
CVE-2026-7356 is a high-severity Use After Free (CWE-416) vulnerability in Google Chrome. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Drive-by Compromise (T1189); ranked at the 22.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-7356 is a use-after-free vulnerability (CWE-416) in the Navigation component of Google Chrome versions prior to 147.0.7727.138. It allows a remote attacker to execute arbitrary code via a crafted HTML page, as reported with Chromium security severity rated as High. The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), indicating high impact on confidentiality, integrity, and availability.
A remote attacker without privileges can exploit this flaw by tricking a user into visiting a malicious website or interacting with a crafted HTML page, requiring user interaction but no special permissions. Successful exploitation enables arbitrary code execution within the context of the browser, potentially leading to full sandbox escape or further compromise of the user's system.
Google's Chrome Releases blog details a stable channel update for desktop in the referenced advisory at https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop_28.html, which patches this issue in version 147.0.7727.138. Additional technical details are available in the Chromium issue tracker at https://issues.chromium.org/issues/497769116. Security practitioners should urge users to update to the latest stable Chrome version to mitigate the risk.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-26182
Vulnerability details
Use after free in Navigation in Google Chrome prior to 147.0.7727.138 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: High)
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Use-after-free in Chrome Navigation component enables RCE via crafted HTML on malicious site, directly facilitating drive-by compromise (T1189) and exploitation for client execution (T1203).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely patching of known flaws like this use-after-free vulnerability in Chrome's Navigation component to version 147.0.7727.138 or later.
Implements memory protection mechanisms that prevent unauthorized code execution due to use-after-free memory address reuse in the browser's Navigation component.
Malicious code protection mechanisms detect and prevent execution of arbitrary code triggered by exploitation of the use-after-free via crafted HTML pages.