{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-7339", "assignerOrgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28", "state": "PUBLISHED", "assignerShortName": "Chrome", "dateReserved": "2026-04-28T20:02:35.329Z", "datePublished": "2026-04-28T22:36:08.152Z", "dateUpdated": "2026-04-28T22:36:08.152Z"}, "containers": {"cna": {"affected": [{"vendor": "Google", "product": "Chrome", "versions": [{"version": "147.0.7727.138", "status": "affected", "lessThan": "147.0.7727.138", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "Heap buffer overflow in WebRTC in Google Chrome prior to 147.0.7727.138 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium)"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Heap buffer overflow", "cweId": "CWE-122"}]}], "providerMetadata": {"orgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28", "shortName": "Chrome", "dateUpdated": "2026-04-28T22:36:08.152Z"}, "references": [{"url": "https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop_28.html"}, {"url": "https://issues.chromium.org/issues/493957495"}]}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Heap buffer overflow in WebRTC in Google Chrome prior to 147.0.7727.138 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium)"}], "id": "CVE-2026-7339", "lastModified": "2026-04-28T23:16:21.483", "metrics": {}, "published": "2026-04-28T23:16:21.483", "references": [{"source": "chrome-cve-admin@google.com", "url": "https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop_28.html"}, {"source": "chrome-cve-admin@google.com", "url": "https://issues.chromium.org/issues/493957495"}], "sourceIdentifier": "chrome-cve-admin@google.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-122"}], "source": "chrome-cve-admin@google.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[147.0.7727.138,147.0.7727.138)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Chrome", "source": "cna", "vendor": "Google"}, "product": "chrome", "vendor": "google"}], "analysis": {"en": {"generated_at": "2026-04-29T01:03:46.961087+00:00", "value": {"mitigation_remediation": ["Upgrade Google Chrome to version 147.0.7727.138 or later", "If an upgrade cannot be performed immediately, disable WebRTC functionality in Chrome through settings or an extension to block the vulnerable code path", "Continuously monitor Google Chrome security advisories to stay informed of future patches or work\u2011arounds"], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution via Heap Overflow"}, "threat_synthesis": {"affected_systems": "All users running Google Chrome versions earlier than 147.0.7727.138 on desktop platforms are affected. The flaw is present in the WebRTC subsystem, which is active whenever a browser processes a web page containing WebRTC elements, making the problem pervasive across all installations using those builds.", "description_and_impact": "A heap buffer overflow exists in the WebRTC component of Google Chrome, exploitable by a crafted HTML page served by a remote host. The overflow can corrupt surrounding memory, potentially allowing an attacker to execute arbitrary code within the browser process and compromise the host system. The vulnerability is classified as a medium\u2011severity issue by Chromium, but the potential impact is significant because a successful exploit could grant the attacker full control over the affected device.", "risk_and_exploitability": "The CVE does not carry an EPSS score and is not listed in the CISA KEV catalog, implying that no large\u2011scale automated exploitation has been observed to date. Nonetheless, the medium Chromium severity and the nature of a heap overflow suggest that knowledgeable attackers could privilege the vulnerability in a controlled environment. The attack vector is most likely a malicious HTML page loaded from an untrusted source; thus, it requires the victim to visit such a page or be tricked into executing it. Given the lack of a publicly known exploit and the undefined CVSS score, the risk remains moderate until a patch is applied."}}}}, "created": "2026-04-29T01:00:10.588111+00:00", "title": "Heap Buffer Overflow in Chrome WebRTC via Crafted HTML Page", "updated": "2026-04-29T01:15:44.707289+00:00", "vendors": ["google", "google$PRODUCT$chrome"]}