CVE-2026-7345

High

Published: 28 April 2026

Published

28 April 2026

Modified

30 April 2026

KEV Added

—

Patch

—

CVSS Score 8.3 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H

EPSS Score 0.0011 28.3th percentile

Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Description

Insufficient validation of untrusted input in Feedback in Google Chrome prior to 147.0.7727.138 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly addresses the insufficient validation of untrusted input in Chrome's Feedback component by requiring validation of all information inputs to prevent sandbox escape.

SC-39 Process Isolation good match

prevent

Enforces process isolation to contain compromises within the renderer process, mitigating sandbox escape attempts via crafted HTML pages.

SI-2 Flaw Remediation good match

prevent

Requires timely identification, reporting, and correction of flaws like this input validation vulnerability through patching to Chrome 147.0.7727.138 or later.

Security SummaryAI

CVE-2026-7345 involves insufficient validation of untrusted input in the Feedback component of Google Chrome prior to version 147.0.7727.138. This vulnerability, tied to CWE-20, affects Chromium-based browsers and carries a CVSS v3.1 base score of 8.3 (High), as published on 2026-04-28.

A remote attacker who has already compromised the renderer process can exploit the flaw using a crafted HTML page to potentially escape the sandbox. The attack vector is network-accessible (AV:N) with high complexity (AC:H), requiring no privileges (PR:N) and user interaction (UI:R), but achieves changed scope (S:C) with high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H).

Mitigation is available via the stable channel update for desktop Chrome, detailed in the Chrome Releases blog at https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop_28.html. Additional technical details are provided in the Chromium issue tracker at https://issues.chromium.org/issues/502248774. Security practitioners should ensure systems update to Chrome 147.0.7727.138 or later.

Details

CWE(s): CWE-20

Affected Products

google

chrome

≤ 147.0.7727.138

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution

Adversaries may exploit software vulnerabilities in client applications to execute code.

attack.mitre.org →

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

Why these techniques?

Vulnerability enables sandbox escape in client browser (Chrome) after renderer compromise via crafted input, facilitating client application exploitation for code execution (T1203) and privilege escalation from sandboxed process (T1068).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

References

https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop_28.html
Vendor Advisory · chrome-cve-admin@google.com
https://issues.chromium.org/issues/502248774
Permissions Required · chrome-cve-admin@google.com