Critical Chrome Vulnerabilities Enables Remote Code Execution Attacks

Google has released a critical security update for its Chrome desktop browser to address 30 security vulnerabilities, including four severe flaws that could enable Remote Code Execution (RCE) attacks.

The Stable channel has been updated to version 147.0.7727.137/138 for Windows and Mac, and to 147.0.7727.137 for Linux.

Google is rolling out this update gradually over the coming days and weeks to ensure a stable deployment.

The majority of the severe flaws patched in this release are “Use-After-Free” memory vulnerabilities.

A Use-After-Free bug occurs when an application attempts to access memory space that has already been freed or deallocated.

This memory mismanagement can lead to unexpected browser crashes, severe data corruption, and, most dangerously, arbitrary code execution.

If successfully exploited, these vulnerabilities allow remote attackers to run malicious commands on a victim’s machine simply by convincing the user to visit a specially crafted malicious webpage.

This requires no additional user interaction and could allow hackers to bypass Chrome’s built-in sandbox protections, potentially compromising the underlying system.

Critical Chrome Vulnerabilities

Google is temporarily restricting access to specific bug details and exploit links until a vast majority of the user base has successfully applied the security patch.

This industry standard practice prevents threat actors from reverse-engineering fixes to launch attacks against unpatched, vulnerable systems.

Google awarded bug bounties to researchers, including $16,000 for a high-severity GPU flaw and $7,000 for a critical Canvas issue.

Below is a summary of the most critical and highly rewarded vulnerabilities addressed in this Chrome release:

• CVE-2026-7363 is a critical use-after-free vulnerability in the Canvas component, reported by heapracer, with a $7,000 bounty.
• CVE-2026-7361 is a critical use-after-free vulnerability affecting iOS, reported by Google, with the bounty yet to be determined.
• CVE-2026-7344 is a critical use-after-free vulnerability in the Accessibility component, reported by Google, with a pending bounty.
• CVE-2026-7343 is a critical use-after-free vulnerability in the Views component, reported by Google, with a pending bounty.
• CVE-2026-7333 is a high-severity use-after-free vulnerability in the GPU component, reported by c6eed09fc8b174b0f3eebedcceb1e792, with a $16,000 bounty.

To protect against potential exploitation, individuals and network administrators are strongly advised to update their Google Chrome browsers immediately.

Check for updates in Google Chrome via Help → About Google Chrome, then restart the browser to apply them. A quick browser restart is required to apply the latest protections fully.

Administrators managing enterprise environments should prioritize the rapid deployment of Chrome version 147.0.7727.137/138 across their networks to prevent potential intrusions.