CVE-2026-7336 Overview
CVE-2026-7336 is a use-after-free vulnerability in the WebRTC component of Google Chrome versions prior to 147.0.7727.138. The flaw allows a remote attacker to execute arbitrary code inside the Chrome sandbox by serving a crafted HTML page to a victim. Google classifies the Chromium security severity as High, and the issue is tracked under CWE-416. Successful exploitation requires user interaction, such as visiting a malicious or compromised website. The vulnerability affects Chrome on Windows, macOS, and Linux desktop platforms.
Critical Impact
A remote attacker can trigger memory corruption in WebRTC to execute arbitrary code within the Chrome renderer sandbox via a crafted web page.
Affected Products
- Google Chrome prior to 147.0.7727.138 on Microsoft Windows
- Google Chrome prior to 147.0.7727.138 on Apple macOS
- Google Chrome prior to 147.0.7727.138 on Linux
Discovery Timeline
- 2026-04-28 - CVE-2026-7336 published to NVD
- 2026-04-28 - Google releases stable channel desktop update fixing the issue
- 2026-04-30 - Last updated in NVD database
Technical Details for CVE-2026-7336
Vulnerability Analysis
The vulnerability is a use-after-free condition in WebRTC, the real-time communication stack embedded in Chromium. WebRTC handles peer-to-peer audio, video, and data channels and exposes a complex set of JavaScript APIs to web content. A use-after-free occurs when code dereferences a pointer to memory that has already been released. An attacker who controls the allocation pattern can replace the freed object with attacker-controlled data and hijack subsequent operations on that object. In Chrome, this typically leads to arbitrary code execution inside the renderer process. The renderer remains confined by the Chrome sandbox, so a successful exploit grants code execution at sandbox privilege level rather than full system compromise.
Root Cause
The defect stems from improper lifetime management of a WebRTC object [CWE-416]. Chromium's issue tracker entry 500767595 is currently access-restricted, which is standard practice until a sufficient fraction of users have applied the patch. The fixed version 147.0.7727.138 corrects the object lifecycle handling so freed memory is no longer reachable through stale references.
Attack Vector
Exploitation requires the victim to load a crafted HTML page in a vulnerable Chrome build. The attacker invokes WebRTC APIs in a specific sequence from JavaScript to trigger the dangling reference, then sprays the heap to control the reclaimed allocation. No authentication is required and the attack is delivered entirely over the network. Common delivery channels include malicious advertisements, watering-hole sites, and phishing links pointing to attacker-controlled domains.
No public proof-of-concept or exploit code is available at the time of writing. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.
Detection Methods for CVE-2026-7336
Indicators of Compromise
- Chrome renderer processes crashing with access violation or segmentation faults shortly after browsing untrusted sites with WebRTC activity
- Outbound STUN, TURN, or ICE traffic from endpoints to unexpected or low-reputation destinations
- Unusual child processes spawned from chrome.exe or the renderer helper on macOS and Linux
- Browser telemetry showing Chrome versions older than 147.0.7727.138 in the fleet
Detection Strategies
- Inventory installed Chrome versions across managed endpoints and flag any build below 147.0.7727.138.
- Hunt for renderer crash dumps referencing WebRTC modules such as libwebrtc or peer connection symbols.
- Correlate web proxy logs with endpoint telemetry to identify users who visited suspicious pages immediately before renderer instability.
Monitoring Recommendations
- Enable enterprise Chrome reporting through Chrome Browser Cloud Management to centralize version and crash data.
- Monitor EDR telemetry for post-exploitation behavior originating from Chrome processes, including unexpected file writes, script interpreters, or network listeners.
- Track WebRTC API usage on internal applications to distinguish legitimate traffic from anomalous peer connection attempts.
How to Mitigate CVE-2026-7336
Immediate Actions Required
- Update Google Chrome to version 147.0.7727.138 or later on all Windows, macOS, and Linux endpoints.
- Restart Chrome after the update so the patched binaries are loaded into memory.
- Verify Chromium-based browsers and embedded WebViews in the environment for downstream patches incorporating the WebRTC fix.
Patch Information
Google released the fix in the stable channel desktop update documented at Google Chrome Desktop Update. The patched version is 147.0.7727.138. Administrators using managed deployments should push the update through Chrome Browser Cloud Management, Microsoft Intune, Jamf, or equivalent tooling. Additional technical context, when public, will be available in Chromium Issue 500767595.
Workarounds
- Restrict WebRTC functionality through the WebRtcAllowLegacyTLSProtocols and related enterprise policies where business requirements permit.
- Block access to untrusted sites through web filtering and DNS controls to reduce exposure to crafted HTML payloads.
- Disable or limit unnecessary Chrome extensions that expand the renderer attack surface until patching is complete.
# Verify Chrome version on Linux/macOS endpoints
google-chrome --version
# Windows: query installed version via registry
reg query "HKLM\SOFTWARE\Google\Update\Clients\{8A69D345-D564-463C-AFF1-A69D9E530F96}" /v pv
# Enterprise policy snippet (Windows registry) to enforce auto-update
reg add "HKLM\SOFTWARE\Policies\Google\Update" /v UpdateDefault /t REG_DWORD /d 1 /f
: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
