Windows News
{
"title": "Google Chrome 147.0.7727.138 Fixes CVE‑2026‑7350 and 29 Other High‑Severity Flaws—Patch Now to Prevent Sandbox Escapes",
"content": "Google released Chrome version 147.0.7727.137/138 on April 28, 2026, to address a sweeping batch of memory-safety bugs—30 in total—across key browser components, including a high-severity use-after-free flaw in WebMIDI labeled CVE‑2026‑7350 that could allow sandbox escape on Windows. The patch also covers vulnerabilities in Canvas, Accessibility, Views, GPU, ANGLE, WebRTC, Media, Cast, Codecs, WebView, and Navigation among others.
CVE‑2026‑7350: WebMIDI Sandbox Escape Risk
CVE‑2026‑7350 is a use-after-free vulnerability in Chrome’s WebMIDI implementation. Before version 147.0.7727.138, a crafted HTML page could exploit this flaw to escape Chrome’s sandbox, potentially allowing arbitrary code execution on the host system. It’s rated high severity with a CISA ADP CVSS score of 8.3. (nvd.nist.gov)The fix is included in the stable update to version 147.0.7727.138 for Windows and macOS (147.0.7727.137 for Linux). Versions prior to 147.0.7727.138 remain vulnerable. (nvd.nist.gov)
Massive Security Sweep: 30 Critical and High‑Severity Fixes
Chrome’s April 28 update wasn’t limited to WebMIDI. It patched four critical use-after-free flaws—in Canvas (CVE‑2026‑7363), Accessibility (CVE‑2026‑7344), the Views UI component (CVE‑2026‑7343), and iOS-specific code (CVE‑2026‑7361)—plus numerous high-severity memory validation issues across components like GPU, ANGLE, WebRTC, Media, Cast, Codecs, WebView, Navigation, and WebMIDI. (prohoster.info)TechRepublic underscores that four of the patched flaws were deemed critical and could allow attackers to escape sandbox protections and execute code by serving crafted content. (techrepublic.com)
The Operational Reality: Patch, Then Restart
The critical detail for administrators and users alike is that the patched version must not only be installed but actually running. Chrome stages updates silently, but until a browser restart occurs, the vulnerable process continues to run. That simple final step—closing and reopening the browser—can mean the difference between being exposed or protected. (windowsforum.com)Enterprise environments face additional challenges: golden images, virtual desktops, conference-room systems, and kiosk endpoints may not restart automatically, leaving systems running outdated and vulnerable Chrome builds for extended periods. (windowsforum.com)
Navigating Chromium-Based Variants and Ecosystem Exposure
CVE‑2026‑7350 and its companion bugs reside within Chromium’s engine—meaning Google Chrome isn’t the only consumer of these fixes. Microsoft Edge, Brave, Opera, Electron-based apps, and embedded WebViews may also inherit the vulnerabilities. Thus, organizations must monitor all Chromium-derivatives and not rely solely on Chrome’s update cadence. (windowsforum.com)Version discrepancies across platforms add complexity. The vulnerability descriptions specify version prior to 147.0.7727.138, but Chrome’s rollout included two versions—147.0.7727.137 and .138—depending on the OS. Admins should verify the actual running build on each platform rather than assume parity. (windowsforum.com)
Context: Why This Rollup Matters Now
Modern browsers like Chrome resemble miniature operating systems with vast attack surfaces—from UI frameworks and media stacks to identity, rendering, and real-time communication layers. The density of memory-safety fixes in this release is not surprising—it reflects how exposed and complex the browser’s codebase has become. (windowsforum.com)Microsoft’s ecosystem reinforces this reality: Edge users should reference Microsoft’s Security Update Guide to confirm fixes, not simply rely on Chrome’s version numbers. (windowsforum.com)
Summary Table: Key CVEs in Chrome 147 Rollup
| Component | CVE | Type | Impact | Windows Fix Version |
|---|---|---|---|---|
| WebMIDI | CVE‑2026‑7350 | Use-after-free | Sandbox escape | 147.0.7727.138 |
| Canvas | CVE‑2026‑7363 | Use-after-free (Critical) | Sandbox bypass | 147.0.7727.137/138 |
| Accessibility | CVE‑2026‑7344 | Use-after-free (Critical) | Sandbox bypass | 147.0.7727.137/138 |
| Views UI | CVE‑2026‑7343 | Use-after-free (Critical) | Sandbox escape (Windows) | 147.0.7727.137/138 |
| ANGLE | CVE‑2026‑7359 | Use-after-free | Sandbox escape | 147.0.7727.138 |
| WebRTC | CVE‑2026‑7341 / CVE‑2026‑7336 | Use-after-free | Code execution inside sandbox | 147.0.7727.137/138 |
| Media | CVE‑2026‑7335 | Use-after-free | Code execution in sandbox | 147.0.7727.137/138 |
| Navigation | CVE‑2026‑7356 | Use-after-free | May enable code execution | 147.0.7727.138 |
Action Steps for Administrators and Users
- Update all Chromium-based browsers—including Chrome and Edge—on Windows and other platforms to version 147.0.7727.138 or newer.
- Enforce or verify browser restarts post-update.
- Audit and patch Chrome derivatives and embedded WebViews.
- Treat browser patching as part of endpoint defense, not optional application maintenance.
- Use version-based scanning rather than CVE scanners alone; cross-reference NVD, vendor advisories, and actual running builds.
Final Analysis: The Browser as the New Perimeter
CVE‑2026‑7350 exemplifies a troubling shift in endpoint security: browser memory bugs now rank alongside the operating system in attack potential. With WebMIDI, Canvas, Views, ANGLE, and other components targeted in a single update, it’s clear that modern browser security is not incremental—it’s foundational.Administrators must adopt an aggressive posture: high-severity browser patches are now security-critical milestones. Missing them means leaving sandbox boundaries porous. The final defensive step is simple but non-negotiable—restart the browser.
Expect more of these broad, dangerous browser patch waves. The threat surface continues to expand, and so must your patch discipline.",
"summary": "Google’s April 28 security update for Chrome 147 patches 30 vulnerabilities including CVE‑2026‑7350, a high-severity WebMIDI use-after-free that could enable sandbox escape. Users and organizations must upgrade to version 147.0.7727.138, restart their browsers, and ensure all Chromium-based applications are patched to close this expanding attack surface.",
"metadescription": "Google Chrome 147.0.7727.138 fixes CVE‑2026‑7350 (WebMIDI sandbox escape) along with 29 other high-severity flaws. Patch, restart, and secure all Chromium-based browsers now.",
"tags": [
"Chrome 147 update",
"CVE-2026-7350",
"sandbox escape",
"browser security",
"use-after-free",
"patch management",
"Chromium-based browsers"
],
"referencelinks": [
"National Vulnerability Database – CVE‑2026‑7350 details",
"TechRepublic – Google patches 30 Chrome vulnerabilities",
"Windows Forum – CVE‑2026‑7343 Views UI sandbox escape",
"Windows Forum – CVE‑2026‑7338 Cast use-after-free",
"Windows Forum – CVE‑2026‑7341 WebRTC use-after-free",
"Windows Forum – CVE‑2026‑7359 ANGLE use-after-free",
"Windows Forum – CVE‑2026‑7356 Navigation use-after-free",
"NVD entry listing Chrome 147.0.7727.138 as patched build"
]
}