Google has released an emergency stable channel update for Chrome desktop, pushing version 147.0.7727.137/138 for Windows and macOS and 147.0.7727.137 for Linux, addressing a total of 30 security vulnerabilities four of which carry a Critical severity rating. The update began rolling out on April 28, 2026, and will continue reaching users over the coming days and weeks.
This latest patch represents one of Chrome’s most significant security releases of the year, with the Critical-rated bugs all classified as use-after-free (UAF) memory corruption flaws a class of vulnerability frequently weaponized for sandbox escape and remote code execution attacks.
The four Critical-severity CVEs patched in this build all share the same dangerous vulnerability class use-after-free which occurs when a program continues to use a memory pointer after the referenced memory has been freed, potentially allowing attackers to execute arbitrary code.
| CVE | Component | Severity | Reporter | Bounty |
|---|---|---|---|---|
| CVE-2026-7363 | Canvas | Critical | heapracer (external) | $7,000 |
| CVE-2026-7361 | iOS | Critical | Google Internal | N/A |
| CVE-2026-7344 | Accessibility | Critical | Google Internal | N/A |
| CVE-2026-7343 | Views | Critical | Google Internal | N/A |
CVE-2026-7363 stands out as the only externally reported Critical flaw, with researcher “heapracer” earning a $7,000 bug bounty for discovering the use-after-free vulnerability in Chrome’s Canvas rendering component. The Canvas bug was reported on March 19, 2026, giving Google approximately five weeks to develop and test the fix before deployment.
CVE-2026-7344 in the Accessibility subsystem and CVE-2026-7343 in the Views UI framework were both discovered internally by Google on April 16–17, 2026, just days before this patch was finalized highlighting how Google’s Project Zero and internal red teams actively hunt for high-impact bugs ahead of exploitation.
26 High-Severity Flaws Across Core Components
Beyond the Critical bugs, this update resolves 26 High-severity vulnerabilities, making it an unusually dense security patch. The affected components span nearly every critical layer of Chrome’s architecture:
- GPU & ANGLE – CVE-2026-7333 ($16,000 bounty), CVE-2026-7357, CVE-2026-7354 (Out-of-Bounds Read/Write)
- WebRTC – CVE-2026-7336 (reported by Mozilla), CVE-2026-7341, CVE-2026-7339 (Heap buffer overflow, $4,000)
- V8 JavaScript Engine – CVE-2026-7337 (Type Confusion, reported by q@calif.io)
- Media & Codecs – CVE-2026-7335, CVE-2026-7348, CVE-2026-7352, CVE-2026-7355
- Cast & Chromoting – CVE-2026-7338, CVE-2026-7347, CVE-2026-7349
- Navigation, Animation, WebMIDI, WebView – Multiple UAF bugs
The $16,000 payout for CVE-2026-7333 (Use-after-free in GPU) by researcher “c6eed09fc8b174b0f3eebedcceb1e792” signals high exploitation potential Google’s Chrome Vulnerability Reward Program typically awards five-figure bounties only when a flaw poses credible sandbox escape risk.
Particularly notable is CVE-2026-7336 in WebRTC, reported by Mozilla a rare cross-organization disclosure that suggests the vulnerability may also affect Firefox-based products sharing similar WebRTC implementation code.
The Type Confusion in V8 (CVE-2026-7337) is another high-risk entry. V8 type confusion bugs are a historically exploited class: when the JavaScript engine misidentifies an object’s type, attackers can manipulate memory layout to gain code execution capabilities.
Medium-Severity Fixes Also Included
Three Medium-severity vulnerabilities round out this security patch:
- CVE-2026-7339 – Heap buffer overflow in WebRTC ($4,000 bounty)
- CVE-2026-7340 – Integer overflow in ANGLE ($3,000 bounty)
- CVE-2026-7355 – Use-after-free in Media (reported internally)
The ANGLE (Almost Native Graphics Layer Engine) component continues to be a recurring target, with both out-of-bounds and integer overflow bugs affecting this OpenGL abstraction layer that bridges Chrome’s rendering pipeline to platform-native graphics APIs.
Google credited its extensive internal fuzzing and sanitizer infrastructure for detecting a significant portion of these vulnerabilities before public exploitation occurred. The tools deployed include:
- AddressSanitizer (ASan) – Detects memory errors such as use-after-free and heap overflows
- MemorySanitizer (MSan) – Catches uninitialized memory reads
- UndefinedBehaviorSanitizer (UBSan) – Flags integer overflows and undefined operations
- libFuzzer & AFL – Automated fuzzing engines that generate millions of malformed inputs to trigger crashes
- Control Flow Integrity (CFI) – Prevents hijacking of execution flow via corrupted function pointers
Google confirmed that no vulnerabilities in this update are known to be actively exploited in the wild. However, given the Critical ratings and the typically short window between patch release and reverse-engineered exploit development, users are urged to update immediately.
How to Update Google Chrome
To apply this security patch now: open Chrome → click the three-dot menu (⋮) → go to Help → About Google Chrome → Chrome will automatically check for and install the update → restart the browser to apply.
Enterprise administrators managing Chrome deployments via Google Admin Console should consult the Chrome Enterprise Release Notes and prioritize pushing 147.0.7727.137 to all managed devices, particularly those with access to sensitive internal systems.
FAQ
Q1: What is CVE-2026-7363 in Chrome?
CVE-2026-7363 is a Critical use-after-free vulnerability in Chrome’s Canvas component, reported by researcher “heapracer” on March 19, 2026, and patched in version 147.0.7727.137.
Q2: Are any Chrome 147.0.7727.137 vulnerabilities actively exploited in the wild?
Google has confirmed that none of the 30 vulnerabilities fixed in this update are known to be actively exploited at the time of release.
Q3: Which Chrome version fixes the Critical use-after-free in Accessibility (CVE-2026-7344)?
CVE-2026-7344 is patched in Chrome version 147.0.7727.137 for Linux and 147.0.7727.137/138 for Windows and macOS, released April 28, 2026.
Q4: Why did Mozilla report a Chrome vulnerability (CVE-2026-7336)?
CVE-2026-7336 is a use-after-free in WebRTC a shared open-source component and Mozilla reported it to Google as part of cross-browser collaborative security disclosure, since the flaw could affect multiple browser engines.
Site: https://thecybrdef.com
For more insights and updates, follow us on Google News, Twitter, and LinkedIn.About the Author
