CVE-2026-7929 Overview
CVE-2026-7929 is a use-after-free vulnerability [CWE-416] in the MediaRecording component of Google Chrome prior to version 148.0.7778.96. A remote attacker who convinces a user to perform specific UI gestures can execute arbitrary code in the browser process via a crafted HTML page. Chromium classifies the security severity as High. The flaw affects Chrome on Windows, macOS, and Linux.
Critical Impact
Successful exploitation allows arbitrary code execution within the Chrome renderer, providing attackers a foothold for sandbox escape attempts and follow-on compromise of the host system.
Affected Products
- Google Chrome prior to 148.0.7778.96 on Microsoft Windows
- Google Chrome prior to 148.0.7778.96 on Apple macOS
- Google Chrome prior to 148.0.7778.96 on Linux
Discovery Timeline
- 2026-05-06 - CVE-2026-7929 published to the National Vulnerability Database (NVD)
- 2026-05-06 - Last updated in NVD database
Technical Details for CVE-2026-7929
Vulnerability Analysis
The vulnerability resides in Chrome's MediaRecording subsystem, which captures audio and video streams from MediaStream sources for use by the JavaScript MediaRecorder API. A use-after-free condition occurs when the component continues to reference an object after it has been deallocated. An attacker who triggers the dangling reference can influence the contents of the freed memory and steer execution toward attacker-controlled data.
Exploitation requires the victim to load a crafted HTML page and perform specific user-interface gestures, such as starting or stopping recording. The combination of network reachability and required user interaction increases attack complexity but does not eliminate the threat for users browsing untrusted content.
Root Cause
The defect is a memory-management error categorized as [CWE-416] Use After Free. The MediaRecording code path retains a pointer to an object whose lifetime ended through a concurrent or asynchronous event triggered by the user gesture. Subsequent access to that pointer reads or writes freed heap memory, allowing an attacker to corrupt object metadata and hijack control flow.
Attack Vector
The attack vector is network-based. An attacker hosts a malicious or compromised web page that loads in the victim's Chrome browser. The page uses the MediaRecorder API along with timing primitives to trigger the freed-object access. Because user interaction is required, attackers typically pair the page with social engineering prompts that request microphone or camera permissions and direct the user to click recording controls. Detailed technical commentary is restricted; refer to the Chromium Issue Tracker entry and the Google Chrome update announcement for vendor-supplied details.
Detection Methods for CVE-2026-7929
Indicators of Compromise
- Chrome renderer process crashes referencing MediaRecorder, blink::MediaRecorder, or media::AudioEncoder in crash dumps and chrome://crashes entries.
- Unexpected child processes spawned by chrome.exe shortly after a user visited an untrusted page that requested camera or microphone access.
- Outbound network connections to unfamiliar hosts initiated by the renderer or by post-exploitation tooling launched from the browser.
Detection Strategies
- Inventory installed Chrome versions across the fleet and flag any endpoint running a build older than 148.0.7778.96.
- Monitor browser telemetry and EDR process trees for anomalous code execution descending from Chrome renderer processes.
- Hunt for HTML pages that combine MediaRecorder API calls with rapid start()/stop() cycles served from low-reputation domains.
Monitoring Recommendations
- Forward Chrome crash and stability telemetry to a centralized logging platform for correlation with web proxy logs.
- Alert on Chrome renderer crashes that occur within seconds of a getUserMedia permission grant.
- Track DNS and proxy logs for newly registered or low-reputation domains accessed immediately before browser instability.
How to Mitigate CVE-2026-7929
Immediate Actions Required
- Update Google Chrome to version 148.0.7778.96 or later on Windows, macOS, and Linux endpoints.
- Force a browser restart after the update so the patched binaries are loaded into memory.
- Verify enterprise deployment tools and managed browser configurations are not pinning Chrome to a vulnerable build.
Patch Information
Google released the fix in the Stable channel update documented in the Google Chrome update announcement. Chromium-based browsers such as Microsoft Edge, Brave, Opera, and Vivaldi typically inherit this fix; administrators should confirm their downstream vendor has shipped a corresponding release.
Workarounds
- Restrict camera and microphone permissions through enterprise policy using VideoCaptureAllowedUrls and AudioCaptureAllowedUrls so only trusted origins can invoke MediaRecorder.
- Block access to untrusted or newly registered domains at the web proxy until patching completes.
- Educate users to deny media-capture prompts on unfamiliar sites and to avoid clicking recording controls on untrusted pages.
# Example Chrome enterprise policy (Linux managed JSON) restricting media capture
# Place in /etc/opt/chrome/policies/managed/media_capture.json
{
"VideoCaptureAllowedUrls": ["https://meet.example.com", "https://conference.corp.local"],
"AudioCaptureAllowedUrls": ["https://meet.example.com", "https://conference.corp.local"],
"DefaultMediaStreamSetting": 2
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
