{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-7342", "assignerOrgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28", "state": "PUBLISHED", "assignerShortName": "Chrome", "dateReserved": "2026-04-28T20:02:37.760Z", "datePublished": "2026-04-28T22:36:07.295Z", "dateUpdated": "2026-04-28T22:36:07.295Z"}, "containers": {"cna": {"affected": [{"vendor": "Google", "product": "Chrome", "versions": [{"version": "147.0.7727.138", "status": "affected", "lessThan": "147.0.7727.138", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "Use after free in WebView in Google Chrome on Android prior to 147.0.7727.138 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Use after free", "cweId": "CWE-416"}]}], "providerMetadata": {"orgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28", "shortName": "Chrome", "dateUpdated": "2026-04-28T22:36:07.295Z"}, "references": [{"url": "https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop_28.html"}, {"url": "https://issues.chromium.org/issues/503889643"}]}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Use after free in WebView in Google Chrome on Android prior to 147.0.7727.138 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)"}], "id": "CVE-2026-7342", "lastModified": "2026-04-28T23:16:21.787", "metrics": {}, "published": "2026-04-28T23:16:21.787", "references": [{"source": "chrome-cve-admin@google.com", "url": "https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop_28.html"}, {"source": "chrome-cve-admin@google.com", "url": "https://issues.chromium.org/issues/503889643"}], "sourceIdentifier": "chrome-cve-admin@google.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-416"}], "source": "chrome-cve-admin@google.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[147.0.7727.138,147.0.7727.138)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Chrome", "source": "cna", "vendor": "Google"}, "product": "chrome", "vendor": "google"}], "analysis": {"en": {"generated_at": "2026-04-29T02:08:20.558244+00:00", "value": {"mitigation_remediation": ["Update Chrome to version 147.0.7727.138 or newer, which resolves the use\u2011after\u2011free flaw (CWE\u2011416) in the WebView component.", "Reboot the device or restart all affected services to ensure the patched WebView is loaded.", "If an immediate update is not possible, restrict WebView usage by configuring the application to block untrusted or external HTML content, or disable external links that could serve malicious pages, thereby limiting exposure to the CWE\u2011416 use\u2011after\u2011free vulnerability."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The affected product is Google Chrome WebView on Android, specifically versions earlier than 147.0.7727.138. Devices running these versions can be impacted by a maliciously crafted HTML page delivered over the network.", "description_and_impact": "CVE\u20112026\u20117342 is a use\u2011after\u2011free vulnerability in the WebView component of Google Chrome on Android. The flaw allows a remote attacker to craft a malicious HTML page that triggers the freed memory to be accessed again, resulting in execution of arbitrary code inside the sandbox. The vulnerability is classified as high severity.", "risk_and_exploitability": "The attack vector is remote, requiring an attacker to deliver a specially formed HTML page to a vulnerable device. While exploitation has not been confirmed in the wild, the absence of an EPSS score suggests limited observable activity and the weakness is not listed in CISA KEV. The vulnerability remains a significant risk if the device is connected to potentially hostile networks, given its high severity."}}}}, "created": "2026-04-29T01:00:10.588391+00:00", "title": "Use After Free in Chrome WebView Allows Remote Code Execution", "updated": "2026-04-29T02:15:47.408217+00:00", "vendors": ["google", "google$PRODUCT$chrome"]}