CVE-2026-7345 Overview
CVE-2026-7345 is a high-severity vulnerability in Google Chrome's Feedback component caused by insufficient validation of untrusted input. The flaw affects Chrome versions prior to 147.0.7727.138 across Windows, macOS, and Linux platforms. An attacker who has already compromised the renderer process can leverage a crafted HTML page to potentially escape the Chrome sandbox. A successful sandbox escape moves the attacker from the constrained renderer context into the higher-privileged browser process, expanding access to the host operating system. Google has rated the Chromium security severity as High and released a fix in the Stable channel update on April 28, 2026.
Critical Impact
Renderer-compromised attackers can break out of the Chrome sandbox via crafted HTML delivered to the Feedback component, gaining elevated execution context on the host.
Affected Products
- Google Chrome prior to 147.0.7727.138
- Microsoft Windows (Chrome desktop builds)
- Apple macOS and Linux (Chrome desktop builds)
Discovery Timeline
- 2026-04-28 - Google releases Stable channel update fixing CVE-2026-7345
- 2026-04-28 - CVE-2026-7345 published to NVD
- 2026-04-30 - Last updated in NVD database
Technical Details for CVE-2026-7345
Vulnerability Analysis
The vulnerability resides in Chrome's Feedback component, which handles user-submitted feedback data that crosses process boundaries. The flaw is classified as improper input validation [CWE-20]. Feedback processing accepts data originating from the renderer process without sufficient validation before acting on it. When the renderer is already controlled by an attacker, the Feedback path becomes an unintended channel to influence higher-privileged browser components. This pattern is a well-known sandbox escape primitive in modern browser architectures, where renderer-to-browser IPC surfaces must treat all incoming data as untrusted.
Root Cause
The root cause is missing or incomplete validation of untrusted input passed from a renderer to the Feedback subsystem. The Feedback handler trusts structure or content that an attacker-controlled renderer can shape arbitrarily. Browser-side code then operates on this data in a privileged context, allowing the attacker to alter execution beyond the sandbox boundary.
Attack Vector
Exploitation requires two stages. First, the attacker must already have compromised the renderer process, typically by chaining a separate renderer-side bug such as a V8 type confusion or use-after-free. Second, the attacker delivers a crafted HTML page that triggers Feedback interactions, sending malformed input through the unvalidated path. User interaction is required, and attack complexity is rated High, reflecting the multi-stage exploitation requirement. A successful chain results in a sandbox escape with high impact to confidentiality, integrity, and availability. Refer to the Chromium Issue Tracker Entry for additional technical context.
Detection Methods for CVE-2026-7345
Indicators of Compromise
- Chrome browser processes spawning unexpected child processes or writing to sensitive filesystem paths shortly after rendering attacker-controlled HTML.
- Crash dumps or stability reports referencing the Feedback component on Chrome builds older than 147.0.7727.138.
- Outbound connections from Chrome to uncategorized or newly registered domains immediately preceding anomalous host activity.
Detection Strategies
- Inventory installed Chrome versions across endpoints and flag any build below 147.0.7727.138 as vulnerable.
- Hunt for renderer-to-browser process anomalies, such as Chrome browser processes executing shell binaries, scripting engines, or LOLBins.
- Correlate browser crash telemetry with subsequent process or persistence activity on the same host within a short time window.
Monitoring Recommendations
- Forward Chrome process telemetry, including parent-child relationships and command lines, into a centralized analytics pipeline for behavioral review.
- Monitor for write operations by Chrome processes to autorun locations, scheduled task stores, and user profile script directories.
- Alert on Chrome processes loading unsigned modules or modules from user-writable paths.
How to Mitigate CVE-2026-7345
Immediate Actions Required
- Update Google Chrome to version 147.0.7727.138 or later on Windows, macOS, and Linux endpoints.
- Force a browser restart after deployment to ensure the patched binary is active for all users.
- Validate enterprise update channels and managed Chrome policies to confirm clients are receiving Stable channel updates.
Patch Information
Google addressed CVE-2026-7345 in the Chrome Stable channel release 147.0.7727.138, published on April 28, 2026. Details are available in the Google Chrome Stable Update advisory. Organizations using managed deployments should push the update through Chrome Browser Cloud Management, group policy, or their endpoint management platform.
Workarounds
- No vendor-supplied workaround exists; upgrading to the patched build is the only complete remediation.
- Restrict browsing of untrusted sites via web filtering and DNS controls until patches are fully deployed.
- Apply site isolation and enforce least-privilege user accounts to limit post-exploitation impact if a renderer compromise occurs.
# Verify installed Chrome version on Linux/macOS
google-chrome --version
# Expected output: Google Chrome 147.0.7727.138 or newer
# Windows: query installed version via registry
reg query "HKLM\SOFTWARE\Google\Chrome\BLBeacon" /v version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
