Google fixes critical Chrome flaws that could allow remote code execution
5 min. read 
Published on
Google has released a Chrome security update for Windows, macOS, and Linux to fix 30 vulnerabilities, including multiple critical flaws that could allow remote attackers to execute code through malicious web content.
The Stable channel has been updated to 147.0.7727.137/138 for Windows and macOS, and 147.0.7727.137 for Linux. Google says the update will roll out gradually over the coming days and weeks.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
The most serious issues fixed in this release are use-after-free vulnerabilities in browser components such as Canvas, iOS, Accessibility, and Views. These memory safety bugs can let attackers abuse freed memory and potentially run code inside the browserโs security boundary.
What happened
Google published the Chrome desktop update on April 28, 2026. The release includes 30 security fixes, with several marked critical or high severity.
The highest-profile flaw is CVE-2026-7363, a critical use-after-free vulnerability in Canvas. Google credited researcher heapracer and awarded a $7,000 bounty for the report.
Google also highlighted critical use-after-free flaws in iOS, Accessibility, and Views. Several high-severity bugs were fixed in GPU, ANGLE, Animation, Navigation, Skia, Media, MHTML, WebMIDI, Cast, Codecs, WebRTC, V8, Chromoting, Tint, Feedback, and WebView.
At a glance
| Item | Details |
|---|---|
| Product | Google Chrome desktop |
| Update date | April 28, 2026 |
| Windows version | 147.0.7727.137/138 |
| macOS version | 147.0.7727.137/138 |
| Linux version | 147.0.7727.137 |
| Total security fixes | 30 |
| Most severe class | Critical use-after-free vulnerabilities |
| Main risk | Remote code execution through crafted web content |
| Known active exploitation | Googleโs release note does not list active exploitation for these flaws |
Critical flaws fixed in this release
| CVE | Component | Issue type | Severity | Reward |
|---|---|---|---|---|
CVE-2026-7363 | Canvas | Use after free | Critical | $7,000 |
CVE-2026-7361 | iOS | Use after free | Critical | Not available |
CVE-2026-7344 | Accessibility | Use after free | Critical | Not available |
CVE-2026-7343 | Views | Use after free | Critical | Not available |
Why use-after-free bugs are dangerous
A use-after-free vulnerability happens when software continues to use memory after it has already been released. Attackers can sometimes place controlled data into that freed memory space.
In a browser, this kind of memory corruption can become dangerous when a user visits a crafted webpage. If exploitation succeeds, the attacker may execute code inside Chromeโs sandboxed browser process.
That does not always mean full system takeover on its own. However, browser memory bugs can become more serious when attackers combine them with other vulnerabilities or sandbox escape techniques.
High-severity issues also patched
Google also fixed many high-severity flaws in this release. One of the most notable is CVE-2026-7333, a use-after-free issue in the GPU component that earned a $16,000 reward.
Other high-severity issues affect components used for rendering, media playback, browser navigation, device communication, remote access, and web platform features. These areas process complex untrusted content from websites and browser sessions.
That makes rapid updating important. Even if Google restricts full bug details at first, attackers often reverse-engineer patches after release to understand what changed.
Selected high-severity fixes
| CVE | Component | Issue type |
|---|---|---|
CVE-2026-7333 | GPU | Use after free |
CVE-2026-7360 | Compositing | Insufficient validation of untrusted input |
CVE-2026-7359 | ANGLE | Use after free |
CVE-2026-7358 | Animation | Use after free |
CVE-2026-7353 | Skia | Heap buffer overflow |
CVE-2026-7351 | MHTML | Race condition |
CVE-2026-7337 | V8 | Type confusion |
CVE-2026-7347 | Chromoting | Use after free |
Why Google restricts bug details
Google says access to bug details and exploit links may remain restricted until most users receive the fix. This is a normal security practice after browser patches.
Publishing full technical details too early can help attackers build working exploits against people who have not updated yet. Delaying those details gives users, companies, and managed environments more time to patch.
This matters for Chrome because the browser has a very large user base. Even a short patch delay can leave millions of systems exposed to newly understood attack techniques.
How users can update Chrome
Chrome usually updates automatically, but users should check manually because browser updates only fully apply after a restart.
- Open Google Chrome.
- Click the three-dot menu in the top-right corner.
- Go to Help.
- Click About Google Chrome.
- Wait for Chrome to check for updates.
- Click Relaunch when the update finishes.
After restarting, users should confirm that Chrome shows version 147.0.7727.137, 147.0.7727.138, or a later version.
What administrators should do
Enterprise administrators should prioritize deployment across Windows, macOS, and Linux endpoints. Managed browsers can lag behind consumer updates if update policies, restart behavior, or software deployment windows slow the rollout.
Administrators should also review browser inventory to identify systems running older Chrome builds. Devices used by executives, developers, finance teams, and customer support staff should receive priority because they often handle sensitive web sessions.
Chrome-based browsers may also need separate attention. Organizations should check their full browser fleet, not only Google Chrome installations.
Enterprise checklist
- Deploy Chrome
147.0.7727.137/138or later across managed endpoints. - Force browser restarts where policy allows.
- Verify update status through endpoint management tools.
- Prioritize high-risk users and internet-facing roles.
- Review Chrome update policies for paused or delayed channels.
- Check Linux systems separately, especially developer workstations.
- Monitor security advisories for Chromium-based browser updates.
- Educate users not to postpone browser relaunch prompts.
Why this matters
Chrome is one of the most exposed applications on a computer because it constantly processes untrusted web content. A malicious webpage, ad, attachment preview, or redirected link can reach the browser before most users notice anything unusual.
Memory safety vulnerabilities in browser components deserve fast patching because attackers can study patches and look for ways to target outdated systems.
For most users, the fix is straightforward. Update Chrome, restart the browser, and avoid delaying future browser restart prompts after security updates.
FAQ
Google updated Chrome to 147.0.7727.137/138 for Windows and macOS, and 147.0.7727.137 for Linux.
Google says this Chrome desktop update includes 30 security fixes.
CVE-2026-7363 is one of the most notable issues. It is a critical use-after-free vulnerability in Canvas.
Yes. Some of the vulnerabilities can allow remote code execution in the browser context when a vulnerable user visits specially crafted web content.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages