MDR
Solutions
Partners
About
Resources
Affected Environment
Chrome installations on Windows, macOS and Linux running versions earlier than 147.0.7727.137/138 are exposed to multiple CVEs. Exposure applies wherever Chrome is used for user browsing or remote access functions within the organisation.
Threat Overview
Multiple high‑severity Chrome flaws can enable remote code execution in the browser and possible sandbox escape by an external attacker. A successful attack could provide full system compromise and support lateral movement from the initially affected endpoint.
Exposure Timeline
Google released the fixed desktop versions on 28 April 2026; this alert was issued 29–30 April 2026. At publication time, there are no reports of in‑the‑wild exploitation, but exposure persists until updates are applied.
Attack Surface
Any user browsing session in an unpatched Chrome instance can be a trigger point via crafted web content or media. Features such as WebRTC, media, GPU, Canvas, WebView, Cast, and remote access components widen the potential attack surface.
Technical Root Cause
Most CVEs arise from memory safety issues, including use‑after‑free, heap buffer overflows, and out‑of‑bounds read/write in Chrome components. Additional flaws include insufficient input validation, integer overflow, type confusion, and race conditions in supporting libraries.
Exploitation Pathway
An attacker could lure a user to malicious content that exercises one of the memory or validation flaws in the Chrome process. If combined with sandbox escape, this could allow code execution on the host, followed by credential access and lateral movement.
Operational Impact
Compromise of a user workstation may expose sensitive data handled in Chrome, including business applications and webmail. An affected endpoint could be used as a pivot for further internal access, disrupting normal operations and requiring remediation.
Strategic Impact
Wide Chrome usage means the organisation may have broad exposure if patching is delayed or incomplete. Failure to manage these CVEs weakens overall browser security posture and undermines trust in web‑based business processes.
Required Mitigation
Update Chrome to version 147.0.7727.137/138 or later on all Windows, macOS and Linux assets after appropriate testing. Enforce monthly or more frequent automated application patching and ensure only fully supported, current browsers are allowed.
Incident Response Guidance
Verify fleet‑wide Chrome version compliance and prioritise high‑risk users and internet‑facing roles for immediate updates. If compromise is suspected, isolate affected endpoints, review browser‑originated activity, and follow standard vulnerability remediation.
References
Google Chrome release notes document the patched versions and vulnerability details for these CVEs.
Trusted by clients worldwide
Led by human expertise and powered by the VisionX platform, we provide you with a 24/7 unbeatable Managed Detection & Response capability giving you transparent and consolidated security solutions.
.jpg)