Key Takeaways
- Google released Chrome version 147.0.7727.137/138 (Windows/Mac) and 147.0.7727.137 (Linux) to patch 30 security flaws, four of which are severe Remote Code Execution (RCE) bugs.
- The majority of the critical vulnerabilities are Use‑After‑Free memory errors affecting Canvas, GPU, Accessibility, and Views components.
- Successful exploitation could let attackers run arbitrary code on a victim’s machine merely by luring them to a malicious webpage, bypassing Chrome’s sandbox.
- Google is delaying public disclosure of exploit details until most users have applied the update, a standard practice to prevent reverse‑engineering of fixes.
- Researchers received substantial bug bounties, including $16,000 for a high‑severity GPU flaw and $7,000 for a critical Canvas issue.
- Users and administrators should update Chrome immediately via Help → About Google Chrome and restart the browser to ensure full protection.
Overview of the Chrome Security Update
Google has pushed a critical security update for its desktop Chrome browser, addressing a total of thirty vulnerabilities. The update brings the Stable channel to version 147.0.7727.137/138 for Windows and macOS, and to version 147.0.7727.137 for Linux. The rollout is being conducted gradually over the coming days and weeks to monitor stability and avoid widespread disruption. This measured deployment reflects Google’s commitment to delivering patches safely while minimizing the risk of introducing new issues during the update process.
Nature of the Patched Flaws
Among the thirty patched issues, four are classified as severe and capable of enabling Remote Code Execution (RCE) attacks. The majority of these severe flaws are identified as Use‑After‑Free memory vulnerabilities. A Use‑After‑Free bug arises when software continues to reference a memory location after it has been freed or deallocated, leading to unpredictable behavior. In the context of a browser, such mismanagement can cause crashes, corrupt data, and—most critically—allow an attacker to execute arbitrary code on the victim’s system.
How Use‑After‑Free Vulnerabilities Lead to RCE
When a Use‑After‑Free condition is exploited, an attacker can manipulate the freed memory space to inject malicious instructions. If the browser later uses that memory, it will inadvertently run the attacker’s code. Because the exploit can be triggered simply by convincing a user to visit a specially crafted webpage, no additional user interaction—such as clicking a download or granting permissions—is required. This low‑interaction vector makes the flaw especially dangerous, as it can be leveraged in drive‑by‑download campaigns or malicious advertising networks.
Impact on Chrome’s Sandbox Protections
Chrome employs a multi‑layered sandbox designed to isolate rendering processes from the underlying operating system, thereby limiting the damage a compromised webpage can inflict. However, successful exploitation of the Use‑After‑Free bugs described in this update can bypass those sandbox mechanisms. Once the sandbox is circumvented, the attacker gains the ability to execute commands with the privileges of the Chrome process, potentially leading to full system compromise, data theft, installation of persistence mechanisms, or lateral movement within a network.
Temporary Restriction on Bug Details
In line with industry best practices, Google is temporarily withholding specific technical details and exploit links for the vulnerabilities addressed in this release. This delay is intended to give the majority of Chrome users sufficient time to apply the patch before the information becomes publicly available. By preventing early disclosure, Google reduces the risk that threat actors will reverse‑engineer the fixes and develop exploit kits targeting unpatched systems, thereby protecting the broader user base during the update window.
Recognition of Researchers Through Bug Bounties
Google’s Chrome Vulnerability Rewards Program acknowledged the contributions of several security researchers who reported the critical flaws. Notable awards include a $16,000 bounty for a high‑severity Use‑After‑Free vulnerability in the GPU component (CVE‑2026-7333) and a $7,000 bounty for a critical Use‑After‑Free issue in the Canvas component (CVE‑2026-7363). Additional bounties for other reported issues are pending determination. These rewards underscore Google’s commitment to incentivizing responsible disclosure and fostering collaboration with the security research community.
Detailed Summary of the Most Critical CVEs
The release highlights several particularly severe vulnerabilities:
- CVE‑2026-7363 – A critical Use‑After‑Free in the Canvas component, discovered by heapracer, earning a $7,000 bounty.
- CVE‑2026-7361 – A critical Use‑After‑Free affecting iOS, reported internally by Google; bounty pending.
- CVE‑2026-7344 – A critical Use‑After‑Free in the Accessibility component, reported by Google; bounty pending.
- CVE‑2026-7343 – A critical Use‑After‑Free in the Views component, reported by Google; bounty pending.
- CVE‑2026-7333 – A high‑severity Use‑After‑Free in the GPU component, reported by researcher c6eed09fc8b174b0f3eebedcceb1e792, rewarded with $16,000.
These identifiers help administrators and users verify that their systems have received the necessary patches.
Recommendations for Individual Users
To mitigate the risk posed by these vulnerabilities, individual Chrome users should promptly update their browsers. The update can be checked by navigating to Help → About Google Chrome; Chrome will automatically download and apply the latest version. After the update finishes, restarting the browser ensures that the patched binaries are fully loaded and active. Enabling automatic updates in Chrome’s settings is also advisable to protect against future threats without manual intervention.
Guidance for Enterprise Administrators
Network administrators responsible for large fleets of Chrome installations should prioritize the rapid rollout of version 147.0.7727.137/138 across all endpoints. Utilizing centralized management tools—such as Google Workspace admin controls, Microsoft Endpoint Configuration Manager, or third‑party patch‑management solutions—can streamline the deployment process. Verifying version compliance after rollout, monitoring for any anomalous behavior, and maintaining an inventory of unpatched devices are critical steps to prevent potential intrusions stemming from these vulnerabilities.
Staying Informed About Future Threats
For ongoing cybersecurity insights, readers are encouraged to follow reputable sources such as Google News, LinkedIn, and X (formerly Twitter), where Google and security experts regularly share updates on emerging threats and defensive best practices. Organizations interested in sharing their own security stories or seeking coverage can reach out through the provided contact channels to contribute to the broader security community dialogue. By staying vigilant and keeping software up to date, both individuals and organizations can significantly reduce the attack surface presented by complex memory‑management flaws like those addressed in this Chrome update.