CVE-2026-7357 Overview
CVE-2026-7357 is a use-after-free vulnerability [CWE-416] in the GPU component of Google Chrome versions prior to 147.0.7727.138. The flaw enables a remote attacker who has already compromised the renderer process to trigger heap corruption through a crafted HTML page. Successful exploitation can lead to arbitrary code execution outside the renderer sandbox.
The vulnerability affects Chrome on Windows, macOS, and Linux desktop platforms. Google rated the issue as High severity in its Chromium security tracker and addressed it in the Stable Channel update released on April 28, 2026.
Critical Impact
A compromised renderer process can leverage the GPU process use-after-free to corrupt heap memory and potentially escape the Chrome sandbox on any supported desktop platform.
Affected Products
- Google Chrome prior to 147.0.7727.138
- Microsoft Windows desktop installations of Chrome
- Apple macOS and Linux desktop installations of Chrome
Discovery Timeline
- 2026-04-28 - Google releases Stable Channel update for desktop addressing the issue
- 2026-04-28 - CVE-2026-7357 published to NVD
- 2026-04-30 - Last updated in NVD database
Technical Details for CVE-2026-7357
Vulnerability Analysis
The vulnerability is a use-after-free condition in Chrome's GPU process. A use-after-free occurs when a program continues to reference memory after it has been freed, allowing an attacker to manipulate the previously allocated region and influence subsequent operations against the dangling pointer.
Chrome's GPU process handles graphics commands forwarded from renderer processes through the Inter-Process Communication (IPC) channel. Because the GPU process runs with higher privileges than the sandboxed renderer, memory corruption inside it provides a path for sandbox escape. An attacker who corrupts the GPU heap can pivot from renderer-level code execution toward broader system access.
The Common Weakness Enumeration classification is [CWE-416]. Exploitation requires both a prior renderer compromise and user interaction with a crafted HTML page, which raises the attack complexity but does not eliminate the threat.
Root Cause
The defect stems from incorrect object lifetime management in GPU process code paths. A reference to an object is retained and dereferenced after the underlying allocation has been released, producing a dangling pointer accessible from attacker-influenced control flow.
Attack Vector
The attack proceeds in two stages. First, the attacker must already control the renderer process, typically through a separate renderer-side vulnerability or a malicious extension. Second, the attacker delivers a crafted HTML page that issues GPU commands designed to trigger the freed-object access and shape the heap for exploitation. Refer to the Chromium Issue Tracker Entry for upstream technical details.
Detection Methods for CVE-2026-7357
Indicators of Compromise
- Chrome GPU process crashes accompanied by heap corruption signatures in Windows Error Reporting, macOS CrashReporter, or Linux core dumps
- Outbound connections from chrome.exe GPU child processes to previously unseen domains following a crash
- Unexpected child processes spawned by Chrome immediately after rendering an external HTML page
Detection Strategies
- Monitor endpoint telemetry for repeated GPU process termination events tied to a single browsing session
- Correlate Chrome version inventory with NVD data to identify hosts running builds older than 147.0.7727.138
- Hunt for renderer process anomalies such as unusual memory allocations or IPC traffic to the GPU process before crash events
Monitoring Recommendations
- Ingest Chrome crash and stability telemetry into a centralized logging platform for cross-host correlation
- Track browser version compliance through endpoint management tooling and alert on drift
- Review proxy and DNS logs for indicators consistent with drive-by delivery of crafted HTML pages
How to Mitigate CVE-2026-7357
Immediate Actions Required
- Update Google Chrome to version 147.0.7727.138 or later on all Windows, macOS, and Linux endpoints
- Force a browser restart after deployment to ensure the patched binary is loaded across all Chrome processes
- Audit installed Chrome extensions and remove unverified or unused add-ons that could serve as a renderer compromise vector
Patch Information
Google published the fix in the Stable Channel update for desktop on April 28, 2026. Administrators should consult the Google Chrome Desktop Update advisory and deploy 147.0.7727.138 or newer through their endpoint management platform.
Workarounds
- Enforce site isolation and strict extension allowlists to reduce the likelihood of renderer compromise
- Apply enterprise policies that disable hardware acceleration where operational impact is acceptable, reducing GPU process exposure
- Restrict browsing to vetted sites on high-value workstations until patching is complete
# Verify deployed Chrome version on Linux endpoints
google-chrome --version
# Windows enterprise policy: enforce automatic updates via registry
reg add "HKLM\SOFTWARE\Policies\Google\Update" /v UpdateDefault /t REG_DWORD /d 1 /f
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
