{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/chrome/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-7359"}],"_cs_exploited":false,"_cs_products":["Chrome","Edge"],"_cs_severities":["high"],"_cs_tags":["use-after-free","chromium","edge","chrome","cve-2026-7359"],"_cs_type":"advisory","_cs_vendors":["Google","Microsoft"],"content_html":"\u003cp\u003eCVE-2026-7359 describes a use-after-free vulnerability present in ANGLE (Almost Native Graphics Layer Engine), a crucial component of the Chromium open-source project. This vulnerability impacts applications that utilize the Chromium engine, most notably Google Chrome and Microsoft Edge. While the provided source does not give specific exploitation details, use-after-free vulnerabilities can allow for arbitrary code execution. Google Chrome has already addressed this vulnerability, and Microsoft Edge has incorporated the fix from Chromium. This vulnerability matters to defenders because successful exploitation could lead to compromise of the browser and potentially the underlying system.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious web page containing JavaScript code that leverages a flaw in ANGLE\u0026rsquo;s memory management.\u003c/li\u003e\n\u003cli\u003eA user visits the malicious web page through Chrome or Edge.\u003c/li\u003e\n\u003cli\u003eThe JavaScript code triggers the use-after-free vulnerability by freeing a memory object in ANGLE and then attempting to access it again.\u003c/li\u003e\n\u003cli\u003eThis memory corruption leads to a controlled crash or allows the attacker to overwrite memory with arbitrary data.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the memory overwrite to inject malicious code into the browser process.\u003c/li\u003e\n\u003cli\u003eThe injected code executes within the context of the browser, granting the attacker access to user data, cookies, and other sensitive information.\u003c/li\u003e\n\u003cli\u003eThe attacker may then use this access to perform actions on behalf of the user, such as stealing credentials, installing malware, or spreading the attack to other systems.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves arbitrary code execution on the user\u0026rsquo;s system, potentially leading to full system compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful exploit of CVE-2026-7359 could allow an attacker to execute arbitrary code within the context of the affected browser (Chrome or Edge). This can lead to sensitive information disclosure, data theft, and potentially full system compromise. The scope of impact is broad, affecting any user who visits a malicious webpage while using a vulnerable version of Chrome or Edge. Since Chrome and Edge are widely used, this vulnerability poses a significant risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Suspicious WebGL Usage\u003c/code\u003e to identify potential exploitation attempts targeting ANGLE via WebGL.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious requests (cs-uri-query) that may be related to the exploitation of CVE-2026-7359.\u003c/li\u003e\n\u003cli\u003eEnsure that all Chrome and Edge installations are updated to the latest versions to patch CVE-2026-7359.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-01T02:21:40Z","date_published":"2026-05-01T02:21:40Z","id":"/briefs/2026-05-chromium-use-after-free/","summary":"A use-after-free vulnerability in the ANGLE graphics engine within Chromium (CVE-2026-7359) allows for potential exploitation in Google Chrome and Microsoft Edge.","title":"Chromium Use-After-Free Vulnerability in ANGLE (CVE-2026-7359)","url":"https://feed.craftedsignal.io/briefs/2026-05-chromium-use-after-free/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-7357"}],"_cs_exploited":false,"_cs_products":["Chrome","Edge"],"_cs_severities":["critical"],"_cs_tags":["use-after-free","chromium","edge","chrome"],"_cs_type":"advisory","_cs_vendors":["Google","Microsoft"],"content_html":"\u003cp\u003eCVE-2026-7357 is a critical use-after-free vulnerability residing within the GPU component of the Chromium rendering engine. This flaw directly impacts Google Chrome and, due to Microsoft Edge\u0026rsquo;s reliance on Chromium, also affects Edge users. A remote attacker could potentially exploit this vulnerability to execute arbitrary code on a targeted system. The vulnerability stems from improper memory management within the GPU processing routines. While the specific exploitation details are not provided in this brief, successful exploitation generally involves crafting malicious web content to trigger the vulnerability during GPU operations.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker crafts a malicious HTML page containing JavaScript that triggers specific GPU functions.\u003c/li\u003e\n\u003cli\u003eUser visits the malicious website using Chrome or Edge.\u003c/li\u003e\n\u003cli\u003eThe browser\u0026rsquo;s rendering engine processes the malicious JavaScript, leading to the allocation and subsequent freeing of a memory region in the GPU component.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s JavaScript code then attempts to access the previously freed memory region, triggering the use-after-free vulnerability.\u003c/li\u003e\n\u003cli\u003eBy manipulating the memory layout, the attacker can overwrite the freed memory with controlled data.\u003c/li\u003e\n\u003cli\u003eThe overwritten memory is later accessed by the GPU, leading to the execution of attacker-controlled code.\u003c/li\u003e\n\u003cli\u003eThe attacker gains arbitrary code execution within the context of the browser process.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the code execution to escalate privileges or perform other malicious activities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-7357 can lead to arbitrary code execution on the victim\u0026rsquo;s machine. The attacker could potentially install malware, steal sensitive data, or take control of the affected system. Given the widespread use of Chrome and Edge, this vulnerability poses a significant risk to a large number of users.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the latest security updates for Google Chrome to address CVE-2026-7357.\u003c/li\u003e\n\u003cli\u003eApply the latest security updates for Microsoft Edge to address CVE-2026-7357.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Suspicious WebAssembly Execution\u0026rdquo; to identify potential exploitation attempts involving WebAssembly.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-01T02:21:27Z","date_published":"2026-05-01T02:21:27Z","id":"/briefs/2024-01-chromium-use-after-free/","summary":"CVE-2026-7357 is a use-after-free vulnerability in the GPU component of Chromium that also affects Microsoft Edge, potentially leading to arbitrary code execution.","title":"Chromium Use-After-Free Vulnerability in GPU Component (CVE-2026-7357)","url":"https://feed.craftedsignal.io/briefs/2024-01-chromium-use-after-free/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-7338"}],"_cs_exploited":false,"_cs_products":["Chrome","Edge"],"_cs_severities":["critical"],"_cs_tags":["use-after-free","chrome","edge","cve-2026-7338","remote code execution"],"_cs_type":"advisory","_cs_vendors":["Google","Microsoft"],"content_html":"\u003cp\u003eCVE-2026-7338 is a critical use-after-free vulnerability residing within the Cast component of the Chromium browser engine. Google Chrome and Microsoft Edge (Chromium-based) are both affected by this flaw. While the provided source does not specify the exact vulnerable versions, it indicates that Microsoft Edge ingests Chromium, and thus is affected by vulnerabilities addressed in Chromium releases. Successful exploitation of this vulnerability could lead to arbitrary code execution in the context of the user running the browser. This poses a significant risk, as attackers could potentially gain control of the user\u0026rsquo;s system. Defenders should prioritize patching affected browsers.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious webpage or injects malicious code into a legitimate website that utilizes the Cast functionality.\u003c/li\u003e\n\u003cli\u003eThe victim visits the malicious website or interacts with the compromised legitimate website using an affected browser (Chrome or Edge).\u003c/li\u003e\n\u003cli\u003eThe malicious webpage triggers the use-after-free vulnerability in the Cast component.\u003c/li\u003e\n\u003cli\u003eThe vulnerability allows the attacker to access memory that has already been freed.\u003c/li\u003e\n\u003cli\u003eThe attacker overwrites the freed memory with attacker-controlled data.\u003c/li\u003e\n\u003cli\u003eThe attacker manipulates the memory layout to redirect program execution.\u003c/li\u003e\n\u003cli\u003eThe browser attempts to execute code from the attacker-controlled memory location.\u003c/li\u003e\n\u003cli\u003eThis results in arbitrary code execution within the context of the browser process.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-7338 allows an attacker to execute arbitrary code on a victim\u0026rsquo;s machine. This can lead to complete system compromise, data theft, installation of malware, or other malicious activities. Given the widespread use of Chromium-based browsers like Chrome and Edge, this vulnerability has the potential to impact a large number of users across various sectors. The severity is critical due to the potential for remote code execution.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the latest security updates for Google Chrome to address CVE-2026-7338 as detailed in Google Chrome Releases.\u003c/li\u003e\n\u003cli\u003eApply the latest security updates for Microsoft Edge (Chromium-based) to address CVE-2026-7338, ensuring the ingested Chromium version contains the fix.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules provided in this brief to your SIEM to detect potential exploitation attempts targeting the Cast component.\u003c/li\u003e\n\u003cli\u003eEnable enhanced browser security features, such as sandboxing and site isolation, to limit the impact of potential exploits.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-01T02:21:27Z","date_published":"2026-05-01T02:21:27Z","id":"/briefs/2024-01-chromium-cve-2026-7338/","summary":"CVE-2026-7338 is a use-after-free vulnerability in the Cast component of Chromium, affecting Google Chrome and Microsoft Edge, potentially leading to arbitrary code execution.","title":"Chromium Use-After-Free Vulnerability in Cast (CVE-2026-7338)","url":"https://feed.craftedsignal.io/briefs/2024-01-chromium-cve-2026-7338/"},{"_cs_actors":[],"_cs_cves":[{"cvss":9.6,"id":"CVE-2026-6296"},{"cvss":8.3,"id":"CVE-2026-6297"},{"cvss":4.3,"id":"CVE-2026-6298"},{"cvss":8.8,"id":"CVE-2026-6299"},{"cvss":8.8,"id":"CVE-2026-6300"}],"_cs_exploited":false,"_cs_products":["Chrome"],"_cs_severities":["high"],"_cs_tags":["chrome","vulnerability","code-execution","defense-evasion","information-disclosure","denial-of-service"],"_cs_type":"advisory","_cs_vendors":["Google"],"content_html":"\u003cp\u003eMultiple unspecified vulnerabilities have been identified in Google Chrome. An attacker exploiting these vulnerabilities could potentially execute arbitrary code, circumvent security measures, expose and manipulate sensitive information, and trigger a denial-of-service condition. The specifics of these vulnerabilities, including CVE identifiers, are not detailed in the source document. The lack of detail makes it difficult to determine the scope of the attack, but successful exploitation could lead to significant compromise of systems running Chrome. Defenders should prioritize monitoring for suspicious activity within Chrome processes.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a vulnerable version of Google Chrome.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious web page or injects malicious code into a legitimate website.\u003c/li\u003e\n\u003cli\u003eA user visits the malicious web page or a compromised legitimate website using Google Chrome.\u003c/li\u003e\n\u003cli\u003eThe attacker exploits a vulnerability in Chrome, such as a use-after-free or buffer overflow.\u003c/li\u003e\n\u003cli\u003eSuccessful exploitation allows the attacker to execute arbitrary code within the context of the Chrome process.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the code execution to bypass security mechanisms like sandboxing.\u003c/li\u003e\n\u003cli\u003eThe attacker gains access to sensitive data, such as cookies, browsing history, or credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker manipulates data or causes a denial-of-service condition by crashing the browser or consuming excessive resources.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of these vulnerabilities could allow an attacker to execute arbitrary code, bypass security mechanisms, disclose and manipulate data, and cause a denial-of-service condition. The impact ranges from data theft and credential compromise to complete system takeover, depending on the specific vulnerability and the attacker\u0026rsquo;s objectives. While the exact number of potential victims is unknown, the widespread use of Chrome makes this a high-impact threat.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor process creation events for suspicious child processes spawned by chrome.exe, especially those involving command-line interpreters or scripting engines. Use the \u0026ldquo;Detect Suspicious Child Process of Chrome\u0026rdquo; Sigma rule.\u003c/li\u003e\n\u003cli\u003eInspect network connections originating from chrome.exe for unusual destinations or protocols. Deploy the \u0026ldquo;Detect Outbound Connection from Chrome without User Interaction\u0026rdquo; Sigma rule.\u003c/li\u003e\n\u003cli\u003eImplement web content filtering to block access to known malicious websites that might attempt to exploit Chrome vulnerabilities.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-30T09:09:14Z","date_published":"2026-04-30T09:09:14Z","id":"/briefs/2026-05-chrome-vulns/","summary":"Multiple vulnerabilities in Google Chrome could allow an attacker to execute arbitrary code, bypass security mechanisms, disclose and manipulate data, and cause a denial-of-service condition.","title":"Multiple Vulnerabilities in Google Chrome","url":"https://feed.craftedsignal.io/briefs/2026-05-chrome-vulns/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-6363"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["cve-2026-6363","chrome","v8","type confusion"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-6363 is a type confusion vulnerability affecting the V8 JavaScript engine within Google Chrome. This vulnerability resides in versions prior to 147.0.7727.101. A remote attacker could exploit this flaw by crafting a malicious HTML page designed to trigger the type confusion, leading to an out-of-bounds memory access. The Chromium security team rated this vulnerability as having medium severity. Successful exploitation could allow an attacker to potentially execute arbitrary code within the context of the browser. Defenders should prioritize patching vulnerable Chrome installations.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker crafts a malicious HTML page containing JavaScript code designed to trigger the type confusion vulnerability in the V8 engine.\u003c/li\u003e\n\u003cli\u003eThe victim visits the malicious HTML page, either by directly navigating to it or by being redirected through a phishing attack or drive-by download.\u003c/li\u003e\n\u003cli\u003eThe victim\u0026rsquo;s Chrome browser attempts to render the malicious HTML and execute the embedded JavaScript code.\u003c/li\u003e\n\u003cli\u003eThe crafted JavaScript code exploits the type confusion vulnerability in the V8 engine, leading to an incorrect type assignment.\u003c/li\u003e\n\u003cli\u003eThe type confusion results in an out-of-bounds memory access, allowing the attacker to read or write to arbitrary memory locations.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the ability to read and write to arbitrary memory locations to inject and execute malicious code within the Chrome process.\u003c/li\u003e\n\u003cli\u003eThe attacker gains control of the Chrome process and can perform actions such as stealing cookies, injecting keyloggers, or accessing sensitive information.\u003c/li\u003e\n\u003cli\u003eThe attacker may pivot from the compromised browser to other systems on the network, depending on the environment and attacker objectives.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-6363 can lead to arbitrary code execution within the context of the Chrome browser. This could allow an attacker to steal sensitive information such as cookies, credentials, and browsing history. It can also lead to further compromise of the affected system and potentially other systems on the network. While the Chromium security severity is rated as Medium, the impact of successful exploitation can be significant.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Google Chrome to version 147.0.7727.101 or later to patch CVE-2026-6363.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Suspicious Chrome Process Memory Access\u003c/code\u003e to detect potential exploitation attempts based on process memory access patterns.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for requests to unusual or suspicious HTML pages that could be used to deliver the exploit.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-16T12:00:00Z","date_published":"2026-04-16T12:00:00Z","id":"/briefs/2026-04-chrome-v8-type-confusion/","summary":"A type confusion vulnerability (CVE-2026-6363) in Google Chrome's V8 JavaScript engine before version 147.0.7727.101 allows a remote attacker to potentially perform out-of-bounds memory access via a crafted HTML page.","title":"Google Chrome V8 Type Confusion Vulnerability (CVE-2026-6363)","url":"https://feed.craftedsignal.io/briefs/2026-04-chrome-v8-type-confusion/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-6301"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["type-confusion","code-execution","chrome"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-6301 describes a type confusion vulnerability affecting the Turbofan component in Google Chrome versions prior to 147.0.7727.101. The vulnerability allows a remote attacker to potentially execute arbitrary code within the Chrome sandbox. The attack is initiated by crafting a malicious HTML page that, when rendered by a vulnerable Chrome browser, triggers the type confusion in Turbofan. Successful exploitation could lead to arbitrary code execution, potentially allowing the attacker to gain control of the affected system or access sensitive information within the sandbox constraints. This vulnerability poses a significant risk to users browsing untrusted websites or opening malicious HTML files.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker crafts a malicious HTML page designed to trigger the type confusion vulnerability in Chrome\u0026rsquo;s Turbofan.\u003c/li\u003e\n\u003cli\u003eThe victim visits the attacker-controlled website hosting the malicious HTML page or opens a locally stored HTML file.\u003c/li\u003e\n\u003cli\u003eChrome\u0026rsquo;s rendering engine attempts to process the malicious HTML, triggering the Turbofan component responsible for JavaScript optimization.\u003c/li\u003e\n\u003cli\u003eThe type confusion vulnerability is exploited due to the crafted HTML, leading to incorrect assumptions about object types during JavaScript execution.\u003c/li\u003e\n\u003cli\u003eThe incorrect type assumptions allow the attacker to manipulate memory within the Chrome renderer process.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the memory manipulation capabilities to inject and execute arbitrary code within the Chrome sandbox.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s code executes with the privileges of the Chrome renderer process.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-6301 allows a remote attacker to execute arbitrary code within the Chrome sandbox. While the sandbox provides some level of isolation, a determined attacker may be able to escape the sandbox and gain further access to the underlying system. The impact includes potential data theft, installation of malware, or complete system compromise, depending on the attacker\u0026rsquo;s ability to bypass sandbox protections.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Google Chrome to version 147.0.7727.101 or later to patch CVE-2026-6301 (reference: \u003ca href=\"https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop_15.html)\"\u003ehttps://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop_15.html)\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Suspicious Script Execution via Chrome\u0026rdquo; to identify potential exploitation attempts (reference: Sigma rule below).\u003c/li\u003e\n\u003cli\u003eEducate users about the risks of visiting untrusted websites and opening suspicious HTML files to prevent initial access.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-16T12:00:00Z","date_published":"2026-04-16T12:00:00Z","id":"/briefs/2026-04-chrome-turbofan-type-confusion/","summary":"A type confusion vulnerability in Google Chrome's Turbofan component (CVE-2026-6301) allows a remote attacker to execute arbitrary code within a sandbox by exploiting a crafted HTML page, impacting system integrity and availability.","title":"Google Chrome Turbofan Type Confusion Vulnerability (CVE-2026-6301)","url":"https://feed.craftedsignal.io/briefs/2026-04-chrome-turbofan-type-confusion/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.3,"id":"CVE-2026-6311"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["cve-2026-6311","chrome","sandbox-escape","windows"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-6311 describes a high-severity vulnerability affecting Google Chrome on Windows. Specifically, an uninitialized use in the Accessibility component exists in versions prior to 147.0.7727.101. This flaw allows a remote attacker, who has already compromised the renderer process, to potentially escape the browser\u0026rsquo;s sandbox environment. The attacker exploits this vulnerability by crafting a malicious HTML page. Successful exploitation allows the attacker to execute code outside of the Chrome sandbox, potentially leading to arbitrary code execution on the underlying system. This vulnerability was patched in Chrome version 147.0.7727.101, released in April 2026. The Chromium project assigned a security severity of High to this issue.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker crafts a malicious HTML page designed to trigger the uninitialized use vulnerability in the Accessibility component.\u003c/li\u003e\n\u003cli\u003eThe victim visits the malicious HTML page through a phishing link or drive-by download.\u003c/li\u003e\n\u003cli\u003eThe HTML page is rendered by Google Chrome, which triggers the vulnerability in the Accessibility component.\u003c/li\u003e\n\u003cli\u003eDue to the uninitialized memory, the attacker gains control of a pointer or other sensitive data.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages this control to read from or write to arbitrary memory locations within the renderer process.\u003c/li\u003e\n\u003cli\u003eThe attacker manipulates the memory of the renderer process to bypass sandbox restrictions.\u003c/li\u003e\n\u003cli\u003eThe attacker gains the ability to execute arbitrary code outside of the Chrome sandbox.\u003c/li\u003e\n\u003cli\u003eThe attacker can now perform actions such as installing malware, stealing sensitive data, or pivoting to other systems on the network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-6311 allows an attacker to escape the Google Chrome sandbox on Windows systems. This can lead to arbitrary code execution on the victim\u0026rsquo;s machine, potentially leading to data theft, malware installation, or further compromise of the network. Given Chrome\u0026rsquo;s widespread use, this vulnerability poses a significant risk to a large number of users. While the exact number of victims is unknown, the potential impact is high due to the ability to bypass the browser\u0026rsquo;s security measures.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Google Chrome to version 147.0.7727.101 or later to patch CVE-2026-6311 (reference: Overview).\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for unexpected processes spawned by Chrome renderer processes, as a sign of successful sandbox escape (reference: Attack Chain step 8 and the \u0026ldquo;Detect Chrome Sandbox Escape via Child Process\u0026rdquo; Sigma rule).\u003c/li\u003e\n\u003cli\u003eImplement web filtering to block access to known malicious websites that may host exploit code targeting this vulnerability (reference: Attack Chain step 2).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules in this brief to your SIEM and tune for your environment.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-16T12:00:00Z","date_published":"2026-04-16T12:00:00Z","id":"/briefs/2026-04-chrome-sandbox-escape/","summary":"A remote attacker who has compromised the renderer process in Google Chrome on Windows prior to version 147.0.7727.101 can potentially perform a sandbox escape via a crafted HTML page due to an uninitialized use in accessibility, as tracked by CVE-2026-6311.","title":"Google Chrome Sandbox Escape via Uninitialized Use in Accessibility (CVE-2026-6311)","url":"https://feed.craftedsignal.io/briefs/2026-04-chrome-sandbox-escape/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.3,"id":"CVE-2026-6314"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["chrome","gpu","oob-write","sandbox-escape"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-6314 is a security vulnerability affecting Google Chrome versions prior to 147.0.7727.101. The vulnerability resides within the GPU process and is classified as an out-of-bounds write. Successful exploitation could allow a remote attacker who has already compromised the GPU process to perform a sandbox escape, potentially gaining broader system access. The vulnerability can be triggered by a crafted HTML page. The Chromium security team has rated this vulnerability as High severity. This vulnerability was patched in the 147.0.7727.101 release.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker crafts a malicious HTML page designed to trigger the out-of-bounds write in the GPU process.\u003c/li\u003e\n\u003cli\u003eThe victim visits the malicious HTML page using a vulnerable version of Google Chrome.\u003c/li\u003e\n\u003cli\u003eThe HTML page leverages JavaScript to initiate a GPU-related operation that triggers the vulnerable code path.\u003c/li\u003e\n\u003cli\u003eThe GPU process attempts to write data outside of the intended memory buffer due to a flaw in the code.\u003c/li\u003e\n\u003cli\u003eThis out-of-bounds write corrupts memory within the GPU process.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the memory corruption to overwrite critical data structures or code within the GPU process.\u003c/li\u003e\n\u003cli\u003eBy manipulating the GPU process\u0026rsquo;s memory, the attacker attempts to escape the Chrome sandbox.\u003c/li\u003e\n\u003cli\u003eIf successful, the attacker gains the ability to execute arbitrary code outside the sandbox, potentially compromising the user\u0026rsquo;s system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-6314 allows an attacker to escape the Chrome sandbox. This allows the attacker to potentially execute arbitrary code on the victim\u0026rsquo;s machine. While the exact number of victims is unknown, all users of Google Chrome versions prior to 147.0.7727.101 are potentially vulnerable. A successful sandbox escape could lead to data theft, malware installation, or other malicious activities, depending on the privileges of the compromised user.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Google Chrome to version 147.0.7727.101 or later to patch CVE-2026-6314.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Chrome GPU Process Crash\u003c/code\u003e to identify potential exploitation attempts based on abnormal process termination.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for requests to suspicious HTML pages (cs-uri-query, cs-uri-stem) that could be used to deliver the exploit.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-16T12:00:00Z","date_published":"2026-04-16T12:00:00Z","id":"/briefs/2026-04-chrome-gpu-oob-write/","summary":"Google Chrome versions prior to 147.0.7727.101 are vulnerable to an out-of-bounds write in the GPU process (CVE-2026-6314), allowing a remote attacker with GPU process compromise to potentially perform a sandbox escape via a crafted HTML page.","title":"Google Chrome GPU Out-of-Bounds Write Vulnerability (CVE-2026-6314)","url":"https://feed.craftedsignal.io/briefs/2026-04-chrome-gpu-oob-write/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-6300"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["cve-2026-6300","use-after-free","chrome"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-6300 is a use-after-free vulnerability affecting the CSS engine in Google Chrome versions prior to 147.0.7727.101. Successful exploitation allows a remote attacker to execute arbitrary code inside a sandbox environment. The vulnerability is triggered when processing a maliciously crafted HTML page. Google Chrome users who have not updated to version 147.0.7727.101 or later are vulnerable. Given the widespread use of Chrome, this vulnerability poses a significant risk.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker crafts a malicious HTML page containing a specific CSS payload designed to trigger the use-after-free condition.\u003c/li\u003e\n\u003cli\u003eThe victim visits the attacker-controlled website or opens the malicious HTML page via phishing or other social engineering techniques.\u003c/li\u003e\n\u003cli\u003eChrome\u0026rsquo;s rendering engine processes the HTML and CSS code.\u003c/li\u003e\n\u003cli\u003eThe vulnerability in the CSS engine is triggered during the processing of the malicious CSS, leading to memory corruption.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the use-after-free condition to overwrite memory and gain control of program execution.\u003c/li\u003e\n\u003cli\u003eThe attacker executes arbitrary code within the Chrome sandbox.\u003c/li\u003e\n\u003cli\u003eThe attacker potentially escalates privileges or escapes the sandbox environment, depending on further exploitation techniques.\u003c/li\u003e\n\u003cli\u003eThe attacker performs malicious actions, such as installing malware, stealing sensitive data, or further compromising the system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-6300 allows a remote attacker to execute arbitrary code within the Chrome sandbox. While the sandbox provides a degree of isolation, determined attackers may be able to escalate privileges or escape the sandbox entirely, leading to full system compromise. This could allow for the installation of malware, theft of sensitive data, or other malicious activities. Given the widespread use of Chrome, a successful exploit could potentially affect millions of users.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpdate Google Chrome to version 147.0.7727.101 or later to patch CVE-2026-6300.\u003c/li\u003e\n\u003cli\u003eDeploy the following Sigma rule to detect potential exploitation attempts based on suspicious process creation events related to Chrome: \u003ccode\u003etitle: \u0026quot;Detect Possible Chrome UAF Exploitation\u0026quot;\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003eEnable process creation logging for Google Chrome to ensure the Sigma rule functions correctly.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-16T12:00:00Z","date_published":"2026-04-16T12:00:00Z","id":"/briefs/2026-04-chrome-uaf/","summary":"A use-after-free vulnerability in Google Chrome's CSS engine (CVE-2026-6300) allows a remote attacker to execute arbitrary code within a sandbox by exploiting a crafted HTML page.","title":"Google Chrome CSS Use-After-Free Vulnerability (CVE-2026-6300)","url":"https://feed.craftedsignal.io/briefs/2026-04-chrome-uaf/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.3,"id":"CVE-2026-6297"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["cve","use-after-free","chrome","sandbox escape"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-6297 is a critical security flaw affecting Google Chrome users. The vulnerability, a use-after-free issue within the Proxy component, exists in versions prior to 147.0.7727.101. Successfully exploiting this vulnerability would allow an attacker positioned in a privileged network location to potentially break out of Chrome\u0026rsquo;s sandbox. The attack vector involves a specially crafted HTML page delivered to the victim. This is a critical vulnerability because a successful exploit could lead to arbitrary code execution within the context of the user running Chrome, potentially leading to data theft, system compromise, or further lateral movement within a network.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains a privileged network position, such as through ARP poisoning or DNS spoofing.\u003c/li\u003e\n\u003cli\u003eThe victim user browses to a website or is redirected to a website controlled by the attacker.\u003c/li\u003e\n\u003cli\u003eThe attacker injects a malicious HTML page into the victim\u0026rsquo;s browser session.\u003c/li\u003e\n\u003cli\u003eThe malicious HTML page leverages JavaScript to trigger the use-after-free vulnerability in Chrome\u0026rsquo;s Proxy component.\u003c/li\u003e\n\u003cli\u003eThe use-after-free condition allows the attacker to corrupt memory within the Chrome process.\u003c/li\u003e\n\u003cli\u003eBy carefully crafting the memory corruption, the attacker gains control of program execution.\u003c/li\u003e\n\u003cli\u003eThe attacker executes arbitrary code within the Chrome sandbox.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the initial code execution within the sandbox to attempt a sandbox escape and gain access to the underlying operating system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-6297 allows an attacker in a privileged network position to perform a sandbox escape. This can lead to arbitrary code execution on the user\u0026rsquo;s machine, potentially compromising sensitive data, allowing for further exploitation of the system, and enabling lateral movement within the network. Due to the widespread use of Chrome, this vulnerability has the potential to affect a large number of users across various sectors.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Google Chrome to version 147.0.7727.101 or later to patch CVE-2026-6297.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Chrome Sandbox Escape via Crafted HTML\u0026rdquo; to identify potential exploitation attempts within your environment.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for signs of ARP poisoning or DNS spoofing, which are common prerequisites for exploiting vulnerabilities like CVE-2026-6297.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-15T20:16:38Z","date_published":"2026-04-15T20:16:38Z","id":"/briefs/2026-04-chrome-use-after-free/","summary":"CVE-2026-6297 is a critical use-after-free vulnerability in the Proxy component of Google Chrome before version 147.0.7727.101, enabling a privileged network attacker to potentially achieve sandbox escape via a crafted HTML page.","title":"Google Chrome Proxy Use-After-Free Vulnerability (CVE-2026-6297)","url":"https://feed.craftedsignal.io/briefs/2026-04-chrome-use-after-free/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["cookie-theft","credential-access","chrome"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eGoogle has introduced Device Bound Session Credentials (DBSC) in Chrome 146 for Windows to combat session cookie theft, with a macOS version planned for a future release. This feature, initially announced in April 2024, aims to protect user accounts from compromise by rendering stolen authentication cookies useless. Session cookies are often stolen using information-stealing malware and traded on cybercrime platforms, allowing attackers to access accounts without passwords. DBSC mitigates this threat by cryptographically binding authentication sessions to the user\u0026rsquo;s device, leveraging hardware-backed security modules to generate unique public/private key pairs. This ensures that even if cookies are exfiltrated, they quickly expire and become unusable, enhancing overall security for Chrome users. Websites can adopt DBSC via registration and refresh endpoints.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker deploys information-stealing malware on a victim\u0026rsquo;s Windows or macOS system.\u003c/li\u003e\n\u003cli\u003eThe malware gains access to the browser\u0026rsquo;s local files and memory, where authentication cookies are stored.\u003c/li\u003e\n\u003cli\u003eThe malware exfiltrates the stolen session cookies to a command-and-control server.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to use the stolen session cookies to access the victim\u0026rsquo;s accounts on various web platforms.\u003c/li\u003e\n\u003cli\u003eIf DBSC is not implemented, the attacker successfully gains unauthorized access to the user\u0026rsquo;s accounts.\u003c/li\u003e\n\u003cli\u003eIf DBSC is implemented, Chrome checks for device-bound credentials.\u003c/li\u003e\n\u003cli\u003eThe web server requires proof of possession of the private key associated with the session. Since the attacker lacks this key, the exfiltrated cookies are useless.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s attempt to access the account is blocked, preventing unauthorized access.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe successful exploitation of stolen session cookies can lead to unauthorized access to user accounts across various platforms, potentially resulting in data breaches, financial loss, and reputational damage. While the article does not cite specific victim counts or sectors affected, the widespread use of Chrome and the prevalence of cookie-stealing malware makes this a significant threat. The implementation of DBSC aims to significantly reduce the risk of account compromise via stolen cookies.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDetection engineers should familiarize themselves with the concept and deployment of Device Bound Session Credentials (DBSC) to understand its impact on existing detection strategies.\u003c/li\u003e\n\u003cli\u003eMonitor for the presence of information-stealing malware that targets browser cookie storage locations using \u003ccode\u003efile_event\u003c/code\u003e and \u003ccode\u003eprocess_creation\u003c/code\u003e log sources.\u003c/li\u003e\n\u003cli\u003eConsider deploying the Sigma rule to detect anomalous processes accessing browser cookie storage locations to identify potential cookie theft attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-10T07:50:52Z","date_published":"2026-04-10T07:50:52Z","id":"/briefs/2026-04-chrome-cookie-protection/","summary":"Google's rollout of Device Bound Session Credentials (DBSC) in Chrome 146 for Windows, with a future release planned for macOS, cryptographically binds authentication sessions to the user's device, rendering stolen session cookies unusable and mitigating credential access.","title":"Google Chrome Device Bound Session Credentials (DBSC) Mitigates Cookie Theft","url":"https://feed.craftedsignal.io/briefs/2026-04-chrome-cookie-protection/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["cve-2026-4673","chrome","webaudio","heap overflow","code execution"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-4673 is a heap buffer overflow vulnerability affecting the WebAudio component of Google Chrome. The vulnerability exists in versions prior to 146.0.7680.165. A remote attacker could exploit this vulnerability by crafting a malicious HTML page designed to trigger an out-of-bounds memory write. The Chromium security team has rated this vulnerability as High severity. Successful exploitation could allow an attacker to potentially execute arbitrary code within the context of the Chrome…\u003c/p\u003e\n","date_modified":"2026-03-25T12:00:00Z","date_published":"2026-03-25T12:00:00Z","id":"/briefs/2026-03-chrome-webaudio-heap-overflow/","summary":"A remote attacker can exploit a heap buffer overflow vulnerability (CVE-2026-4673) in Google Chrome's WebAudio component before version 146.0.7680.165 by crafting a malicious HTML page, potentially leading to an out-of-bounds memory write and arbitrary code execution.","title":"Google Chrome WebAudio Heap Buffer Overflow Vulnerability (CVE-2026-4673)","url":"https://feed.craftedsignal.io/briefs/2026-03-chrome-webaudio-heap-overflow/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["cve-2026-4675","heap-buffer-overflow","webgl","chrome","remote-code-execution"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-4675 describes a heap buffer overflow vulnerability affecting the WebGL component of Google Chrome. Specifically, versions prior to 146.0.7680.165 are susceptible. An attacker can exploit this vulnerability by crafting a malicious HTML page that, when rendered by a vulnerable Chrome browser, triggers an out-of-bounds memory read due to the heap buffer overflow in WebGL. The Chromium security team rated this as a \u0026ldquo;High\u0026rdquo; severity issue. Successful exploitation can lead to information…\u003c/p\u003e\n","date_modified":"2026-03-25T12:00:00Z","date_published":"2026-03-25T12:00:00Z","id":"/briefs/2026-03-chrome-webgl-heap-overflow/","summary":"A heap buffer overflow vulnerability (CVE-2026-4675) exists in Google Chrome's WebGL implementation prior to version 146.0.7680.165, allowing a remote attacker to perform an out-of-bounds memory read via a specially crafted HTML page, potentially leading to information disclosure or arbitrary code execution.","title":"CVE-2026-4675: Google Chrome WebGL Heap Buffer Overflow Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-03-chrome-webgl-heap-overflow/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["cve-2026-4678","use-after-free","chrome","webgpu"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-4678 is a use-after-free vulnerability impacting Google Chrome versions earlier than 146.0.7680.165. The vulnerability resides within the WebGPU component, a modern graphics API. An unauthenticated, remote attacker can exploit this flaw by enticing a user to open a specially crafted HTML page. Successful exploitation allows the attacker to execute arbitrary code inside the Chrome sandbox. The Chromium project rates this as a High severity issue due to the potential for arbitrary code…\u003c/p\u003e\n","date_modified":"2026-03-24T01:17:03Z","date_published":"2026-03-24T01:17:03Z","id":"/briefs/2026-03-chrome-webgpu-uaf/","summary":"A use-after-free vulnerability in Google Chrome's WebGPU component (CVE-2026-4678) allows a remote attacker to execute arbitrary code within a sandbox by crafting a malicious HTML page, affecting Chrome versions prior to 146.0.7680.165.","title":"Google Chrome WebGPU Use-After-Free Vulnerability (CVE-2026-4678)","url":"https://feed.craftedsignal.io/briefs/2026-03-chrome-webgpu-uaf/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["cve-2026-4677","chrome","webaudio","out-of-bounds read"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-4677 describes an out-of-bounds memory read vulnerability in the WebAudio component of Google Chrome. Successful exploitation of this vulnerability allows a remote attacker to potentially read sensitive information from the browser\u0026rsquo;s memory. The vulnerability exists in Google Chrome versions prior to 146.0.7680.165. The attack involves crafting a malicious HTML page that, when opened in a vulnerable version of Chrome, triggers the out-of-bounds read in the WebAudio processing. The…\u003c/p\u003e\n","date_modified":"2026-03-24T01:17:03Z","date_published":"2026-03-24T01:17:03Z","id":"/briefs/2026-03-chrome-webaudio-oob-read/","summary":"A remote attacker can trigger an out-of-bounds memory read in Google Chrome's WebAudio implementation by crafting a malicious HTML page (CVE-2026-4677), affecting versions prior to 146.0.7680.165.","title":"Google Chrome WebAudio Out-of-Bounds Read Vulnerability (CVE-2026-4677)","url":"https://feed.craftedsignal.io/briefs/2026-03-chrome-webaudio-oob-read/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["use-after-free","sandbox-escape","chrome","cve-2026-4676"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-4676 is a use-after-free vulnerability affecting Google Chrome versions prior to 146.0.7680.165. This flaw resides within the Dawn component of Chrome and can be triggered by a remote attacker who crafts a malicious HTML page. Successful exploitation could lead to a sandbox escape, granting the attacker elevated privileges within the system. This vulnerability was patched in the March 23, 2026 stable channel update for desktop. The vulnerability affects users on Windows, Linux, and…\u003c/p\u003e\n","date_modified":"2026-03-24T01:17:03Z","date_published":"2026-03-24T01:17:03Z","id":"/briefs/2026-03-chrome-uaf/","summary":"A use-after-free vulnerability (CVE-2026-4676) in Google Chrome before 146.0.7680.165 allows a remote attacker to potentially perform a sandbox escape via a crafted HTML page.","title":"Google Chrome Use-After-Free Vulnerability (CVE-2026-4676)","url":"https://feed.craftedsignal.io/briefs/2026-03-chrome-uaf/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["cve-2026-4679","chrome","integer-overflow","memory-corruption"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-4679 is an integer overflow vulnerability affecting the Fonts component in Google Chrome versions prior to 146.0.7680.165. A remote attacker can exploit this vulnerability by crafting a malicious HTML page that, when rendered by a vulnerable Chrome browser, triggers an integer overflow condition, leading to an out-of-bounds memory write. This vulnerability exists because of insufficient validation when handling font data. Successful exploitation could lead to arbitrary code execution…\u003c/p\u003e\n","date_modified":"2026-03-24T01:17:03Z","date_published":"2026-03-24T01:17:03Z","id":"/briefs/2026-03-chrome-font-overflow/","summary":"A remote attacker can perform an out-of-bounds memory write on Google Chrome by exploiting an integer overflow in the Fonts component via a crafted HTML page in versions prior to 146.0.7680.165.","title":"Google Chrome Font Integer Overflow Vulnerability (CVE-2026-4679)","url":"https://feed.craftedsignal.io/briefs/2026-03-chrome-font-overflow/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["CVE-2026-4680","use-after-free","chrome","fedcm"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA use-after-free vulnerability, identified as CVE-2026-4680, exists in the FedCM implementation of Google Chrome. This flaw affects versions prior to 146.0.7680.165. Exploitation is possible by a remote attacker who crafts a malicious HTML page. Successful exploitation allows for arbitrary code execution within the Chrome sandbox, potentially leading to further compromise. The Chromium security team has rated this vulnerability as High severity. This issue impacts users across Windows, Linux…\u003c/p\u003e\n","date_modified":"2026-03-24T01:17:03Z","date_published":"2026-03-24T01:17:03Z","id":"/briefs/2026-03-chrome-fedcm-uaf/","summary":"A use-after-free vulnerability in Google Chrome's FedCM component (CVE-2026-4680) allows a remote attacker to execute arbitrary code within a sandbox by exploiting a crafted HTML page.","title":"Google Chrome FedCM Use-After-Free Vulnerability (CVE-2026-4680)","url":"https://feed.craftedsignal.io/briefs/2026-03-chrome-fedcm-uaf/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["cve","out-of-bounds read","chrome"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-4674 is an out-of-bounds read vulnerability affecting Google Chrome versions prior to 146.0.7680.165. This vulnerability resides in the CSS processing engine of Chrome. A remote attacker can exploit this vulnerability by crafting a malicious HTML page that, when opened in a vulnerable version of Chrome, triggers an out-of-bounds read. The successful exploitation of this vulnerability allows the attacker to read sensitive information from the browser\u0026rsquo;s memory, potentially leading to…\u003c/p\u003e\n","date_modified":"2026-03-24T01:17:02Z","date_published":"2026-03-24T01:17:02Z","id":"/briefs/2026-03-chrome-oob-read/","summary":"A remote attacker can exploit an out-of-bounds read vulnerability (CVE-2026-4674) in Google Chrome versions prior to 146.0.7680.165 to achieve out-of-bounds memory access via a crafted HTML page, impacting confidentiality, integrity, and availability.","title":"Google Chrome Out-of-Bounds Read Vulnerability (CVE-2026-4674)","url":"https://feed.craftedsignal.io/briefs/2026-03-chrome-oob-read/"},{"_cs_actors":["VoidStealer"],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["credential-theft","chrome","debugging"],"_cs_type":"threat","_cs_vendors":[],"content_html":"\u003cp\u003eVoidStealer is a threat actor utilizing advanced techniques to extract sensitive information from Google Chrome. This is achieved by abusing Chrome\u0026rsquo;s built-in debugging features. The threat actor\u0026rsquo;s primary goal is to steal credentials, session cookies, and potentially other sensitive data stored within the browser\u0026rsquo;s memory. This allows for account takeover and lateral movement within compromised environments. The technique bypasses traditional security measures, as it operates within a legitimate browser process. This activity started being discussed in open source forums around March 2026 and represents a sophisticated approach to browser credential theft.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the target system through an unspecified method (e.g., malware distribution, social engineering).\u003c/li\u003e\n\u003cli\u003eThe attacker deploys VoidStealer, a custom tool or script designed to interface with Chrome\u0026rsquo;s debugging API.\u003c/li\u003e\n\u003cli\u003eVoidStealer identifies running Chrome processes and attaches itself as a debugger.\u003c/li\u003e\n\u003cli\u003eThe tool leverages the debugging interface to inspect Chrome\u0026rsquo;s memory space.\u003c/li\u003e\n\u003cli\u003eVoidStealer searches for specific data structures and memory regions known to store credentials, session cookies, and other sensitive information.\u003c/li\u003e\n\u003cli\u003eThe attacker extracts the targeted data from Chrome\u0026rsquo;s memory.\u003c/li\u003e\n\u003cli\u003eStolen data is exfiltrated to a command-and-control server controlled by the attacker.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the stolen credentials and session cookies for account takeover, lateral movement, and potentially data exfiltration from other systems.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful VoidStealer attacks can lead to significant data breaches, account takeovers, and financial losses. Organizations in any sector are at risk, especially those that heavily rely on web-based applications and services. The compromise of user credentials allows attackers to gain unauthorized access to sensitive corporate resources, intellectual property, and customer data. If successful, this can also lead to follow-on attacks, such as ransomware deployment.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor process creation events for unexpected tools attaching to Chrome processes as debuggers to identify potential VoidStealer activity. Deploy the \u0026ldquo;Suspicious Chrome Debugging Attachment\u0026rdquo; Sigma rule to your SIEM.\u003c/li\u003e\n\u003cli\u003eImplement strict process whitelisting policies to prevent unauthorized applications from running on endpoints.\u003c/li\u003e\n\u003cli\u003eEnable and review Chrome\u0026rsquo;s built-in security features, such as password protection and safe browsing, to mitigate the risk of credential theft.\u003c/li\u003e\n\u003cli\u003eEducate users about the risks of downloading and executing untrusted software.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-20T05:48:21Z","date_published":"2026-03-20T05:48:21Z","id":"/briefs/2024-01-23-voidstealer-chrome-debugging/","summary":"VoidStealer leverages Chrome debugging capabilities to extract sensitive information, such as credentials and session cookies, directly from the browser's memory.","title":"VoidStealer Steals Secrets by Debugging Chrome","url":"https://feed.craftedsignal.io/briefs/2024-01-23-voidstealer-chrome-debugging/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["vulnerability","chrome","skia","cve-2026-3909","cve-2026-3910"],"_cs_type":"threat","_cs_vendors":[],"content_html":"\u003cp\u003eOn March 13, 2026, CISA added CVE-2026-3909, an out-of-bounds write vulnerability in Google Skia, and CVE-2026-3910, an unspecified vulnerability in Google Chromium V8, to its Known Exploited Vulnerabilities (KEV) Catalog. These vulnerabilities are actively being exploited in the wild and are considered frequent attack vectors. While CISA\u0026rsquo;s BOD 22-01 mandates Federal Civilian Executive Branch (FCEB) agencies to remediate these vulnerabilities, CISA strongly urges all organizations to prioritize…\u003c/p\u003e\n","date_modified":"2026-03-14T10:00:00Z","date_published":"2026-03-14T10:00:00Z","id":"/briefs/2026-03-cisa-kev-google-vulnerabilities/","summary":"CISA added CVE-2026-3909, an out-of-bounds write vulnerability in Google Skia, and CVE-2026-3910, an unspecified vulnerability in Google Chromium V8 to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation, highlighting the need for timely remediation.","title":"CISA Adds Google Skia and Chromium V8 Vulnerabilities to KEV Catalog","url":"https://feed.craftedsignal.io/briefs/2026-03-cisa-kev-google-vulnerabilities/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Chrome","Splunk Enterprise Security","Splunk Enterprise","Splunk Cloud"],"_cs_severities":["high"],"_cs_tags":["credential-access","password-stealing","chrome"],"_cs_type":"advisory","_cs_vendors":["Google","Splunk"],"content_html":"\u003cp\u003eThis threat brief focuses on detecting unauthorized access to the Chrome \u0026lsquo;Local State\u0026rsquo; file, a critical component of the Chrome browser that stores settings and, more importantly, the encrypted master key used to protect saved passwords. The \u0026lsquo;Local State\u0026rsquo; file is typically accessed only by the Chrome browser itself. When other processes attempt to read this file, it\u0026rsquo;s a strong indicator of malicious activity, potentially involving credential theft or reconnaissance by malware such as RedLine Stealer. This analytic leverages Windows Security Event logs, specifically event code 4663, to identify this behavior. Detecting and responding to this activity is crucial for preventing attackers from gaining access to sensitive user credentials stored within the Chrome browser.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the system, often through phishing or exploitation of a software vulnerability (not specified in this advisory).\u003c/li\u003e\n\u003cli\u003eMalware is deployed on the victim machine (e.g., RedLine Stealer).\u003c/li\u003e\n\u003cli\u003eThe malware attempts to locate the Chrome \u0026lsquo;Local State\u0026rsquo; file, typically found at \u003ccode\u003e*\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\User Data\\\\Local State\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe malware process accesses the \u0026lsquo;Local State\u0026rsquo; file, triggering a Windows Security Event 4663.\u003c/li\u003e\n\u003cli\u003eThe malware extracts the encrypted master key from the \u0026lsquo;Local State\u0026rsquo; file.\u003c/li\u003e\n\u003cli\u003eThe malware decrypts the master key using attacker-controlled methods.\u003c/li\u003e\n\u003cli\u003eThe decrypted master key is used to decrypt saved passwords stored by Chrome.\u003c/li\u003e\n\u003cli\u003eThe stolen credentials are exfiltrated to the attacker\u0026rsquo;s command and control server.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to steal user credentials stored in the Chrome browser. This can lead to unauthorized access to email accounts, social media profiles, banking websites, and other sensitive online services. The impact could range from identity theft and financial fraud to corporate espionage and data breaches. The number of potential victims depends on the number of systems compromised and the extent of Chrome usage on those systems.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable \u0026ldquo;Audit Object Access\u0026rdquo; in Group Policy and configure auditing for both \u0026ldquo;Success\u0026rdquo; and \u0026ldquo;Failure\u0026rdquo; events to ensure Windows Security Event 4663 is generated for file access, as described in the \u0026ldquo;how_to_implement\u0026rdquo; section.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Chrome Local State File Access by Non-Chrome Processes\u0026rdquo; to your SIEM to detect unauthorized access attempts (see \u0026ldquo;rules\u0026rdquo; section). Tune the rule\u0026rsquo;s filter list to reduce false positives related to legitimate software uninstallers.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on identifying the process name and path involved in accessing the \u0026lsquo;Local State\u0026rsquo; file, as described in the rule\u0026rsquo;s description.\u003c/li\u003e\n\u003cli\u003eConsider implementing network egress filtering to prevent exfiltration of stolen credentials to known malicious command and control servers.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-chrome-localstate-access/","summary":"Detection of non-Chrome processes accessing the Chrome 'Local State' file, potentially leading to extraction of the master key used for decrypting saved passwords.","title":"Unauthorized Access to Chrome Local State File","url":"https://feed.craftedsignal.io/briefs/2024-01-chrome-localstate-access/"}],"language":"en","title":"CraftedSignal Threat Feed — Chrome","version":"https://jsonfeed.org/version/1.1"}