Chrome — CraftedSignal Threat Feed

Chromium Use-After-Free Vulnerability in ANGLE (CVE-2026-7359)

hello@craftedsignal.io — Fri, 01 May 2026 02:21:40 +0000

CVE-2026-7359 describes a use-after-free vulnerability present in ANGLE (Almost Native Graphics Layer Engine), a crucial component of the Chromium open-source project. This vulnerability impacts applications that utilize the Chromium engine, most notably Google Chrome and Microsoft Edge. While the provided source does not give specific exploitation details, use-after-free vulnerabilities can allow for arbitrary code execution. Google Chrome has already addressed this vulnerability, and Microsoft Edge has incorporated the fix from Chromium. This vulnerability matters to defenders because successful exploitation could lead to compromise of the browser and potentially the underlying system.

Attack Chain

An attacker crafts a malicious web page containing JavaScript code that leverages a flaw in ANGLE’s memory management.
A user visits the malicious web page through Chrome or Edge.
The JavaScript code triggers the use-after-free vulnerability by freeing a memory object in ANGLE and then attempting to access it again.
This memory corruption leads to a controlled crash or allows the attacker to overwrite memory with arbitrary data.
The attacker leverages the memory overwrite to inject malicious code into the browser process.
The injected code executes within the context of the browser, granting the attacker access to user data, cookies, and other sensitive information.
The attacker may then use this access to perform actions on behalf of the user, such as stealing credentials, installing malware, or spreading the attack to other systems.
The attacker achieves arbitrary code execution on the user’s system, potentially leading to full system compromise.

Impact

A successful exploit of CVE-2026-7359 could allow an attacker to execute arbitrary code within the context of the affected browser (Chrome or Edge). This can lead to sensitive information disclosure, data theft, and potentially full system compromise. The scope of impact is broad, affecting any user who visits a malicious webpage while using a vulnerable version of Chrome or Edge. Since Chrome and Edge are widely used, this vulnerability poses a significant risk.

Recommendation

Deploy the Sigma rule Detect Suspicious WebGL Usage to identify potential exploitation attempts targeting ANGLE via WebGL.
Monitor web server logs for suspicious requests (cs-uri-query) that may be related to the exploitation of CVE-2026-7359.
Ensure that all Chrome and Edge installations are updated to the latest versions to patch CVE-2026-7359.

Chromium Use-After-Free Vulnerability in GPU Component (CVE-2026-7357)

hello@craftedsignal.io — Fri, 01 May 2026 02:21:27 +0000

CVE-2026-7357 is a critical use-after-free vulnerability residing within the GPU component of the Chromium rendering engine. This flaw directly impacts Google Chrome and, due to Microsoft Edge’s reliance on Chromium, also affects Edge users. A remote attacker could potentially exploit this vulnerability to execute arbitrary code on a targeted system. The vulnerability stems from improper memory management within the GPU processing routines. While the specific exploitation details are not provided in this brief, successful exploitation generally involves crafting malicious web content to trigger the vulnerability during GPU operations.

Attack Chain

Attacker crafts a malicious HTML page containing JavaScript that triggers specific GPU functions.
User visits the malicious website using Chrome or Edge.
The browser’s rendering engine processes the malicious JavaScript, leading to the allocation and subsequent freeing of a memory region in the GPU component.
The attacker’s JavaScript code then attempts to access the previously freed memory region, triggering the use-after-free vulnerability.
By manipulating the memory layout, the attacker can overwrite the freed memory with controlled data.
The overwritten memory is later accessed by the GPU, leading to the execution of attacker-controlled code.
The attacker gains arbitrary code execution within the context of the browser process.
The attacker leverages the code execution to escalate privileges or perform other malicious activities.

Impact

Successful exploitation of CVE-2026-7357 can lead to arbitrary code execution on the victim’s machine. The attacker could potentially install malware, steal sensitive data, or take control of the affected system. Given the widespread use of Chrome and Edge, this vulnerability poses a significant risk to a large number of users.

Recommendation

Apply the latest security updates for Google Chrome to address CVE-2026-7357.
Apply the latest security updates for Microsoft Edge to address CVE-2026-7357.
Deploy the Sigma rule “Detect Suspicious WebAssembly Execution” to identify potential exploitation attempts involving WebAssembly.

Chromium Use-After-Free Vulnerability in Cast (CVE-2026-7338)

hello@craftedsignal.io — Fri, 01 May 2026 02:21:27 +0000

CVE-2026-7338 is a critical use-after-free vulnerability residing within the Cast component of the Chromium browser engine. Google Chrome and Microsoft Edge (Chromium-based) are both affected by this flaw. While the provided source does not specify the exact vulnerable versions, it indicates that Microsoft Edge ingests Chromium, and thus is affected by vulnerabilities addressed in Chromium releases. Successful exploitation of this vulnerability could lead to arbitrary code execution in the context of the user running the browser. This poses a significant risk, as attackers could potentially gain control of the user’s system. Defenders should prioritize patching affected browsers.

Attack Chain

An attacker crafts a malicious webpage or injects malicious code into a legitimate website that utilizes the Cast functionality.
The victim visits the malicious website or interacts with the compromised legitimate website using an affected browser (Chrome or Edge).
The malicious webpage triggers the use-after-free vulnerability in the Cast component.
The vulnerability allows the attacker to access memory that has already been freed.
The attacker overwrites the freed memory with attacker-controlled data.
The attacker manipulates the memory layout to redirect program execution.
The browser attempts to execute code from the attacker-controlled memory location.
This results in arbitrary code execution within the context of the browser process.

Impact

Successful exploitation of CVE-2026-7338 allows an attacker to execute arbitrary code on a victim’s machine. This can lead to complete system compromise, data theft, installation of malware, or other malicious activities. Given the widespread use of Chromium-based browsers like Chrome and Edge, this vulnerability has the potential to impact a large number of users across various sectors. The severity is critical due to the potential for remote code execution.

Recommendation

Apply the latest security updates for Google Chrome to address CVE-2026-7338 as detailed in Google Chrome Releases.
Apply the latest security updates for Microsoft Edge (Chromium-based) to address CVE-2026-7338, ensuring the ingested Chromium version contains the fix.
Deploy the Sigma rules provided in this brief to your SIEM to detect potential exploitation attempts targeting the Cast component.
Enable enhanced browser security features, such as sandboxing and site isolation, to limit the impact of potential exploits.

Multiple Vulnerabilities in Google Chrome

hello@craftedsignal.io — Thu, 30 Apr 2026 09:09:14 +0000

Multiple unspecified vulnerabilities have been identified in Google Chrome. An attacker exploiting these vulnerabilities could potentially execute arbitrary code, circumvent security measures, expose and manipulate sensitive information, and trigger a denial-of-service condition. The specifics of these vulnerabilities, including CVE identifiers, are not detailed in the source document. The lack of detail makes it difficult to determine the scope of the attack, but successful exploitation could lead to significant compromise of systems running Chrome. Defenders should prioritize monitoring for suspicious activity within Chrome processes.

Attack Chain

An attacker identifies a vulnerable version of Google Chrome.
The attacker crafts a malicious web page or injects malicious code into a legitimate website.
A user visits the malicious web page or a compromised legitimate website using Google Chrome.
The attacker exploits a vulnerability in Chrome, such as a use-after-free or buffer overflow.
Successful exploitation allows the attacker to execute arbitrary code within the context of the Chrome process.
The attacker leverages the code execution to bypass security mechanisms like sandboxing.
The attacker gains access to sensitive data, such as cookies, browsing history, or credentials.
The attacker manipulates data or causes a denial-of-service condition by crashing the browser or consuming excessive resources.

Impact

Successful exploitation of these vulnerabilities could allow an attacker to execute arbitrary code, bypass security mechanisms, disclose and manipulate data, and cause a denial-of-service condition. The impact ranges from data theft and credential compromise to complete system takeover, depending on the specific vulnerability and the attacker’s objectives. While the exact number of potential victims is unknown, the widespread use of Chrome makes this a high-impact threat.

Recommendation

Monitor process creation events for suspicious child processes spawned by chrome.exe, especially those involving command-line interpreters or scripting engines. Use the “Detect Suspicious Child Process of Chrome” Sigma rule.
Inspect network connections originating from chrome.exe for unusual destinations or protocols. Deploy the “Detect Outbound Connection from Chrome without User Interaction” Sigma rule.
Implement web content filtering to block access to known malicious websites that might attempt to exploit Chrome vulnerabilities.

Google Chrome V8 Type Confusion Vulnerability (CVE-2026-6363)

hello@craftedsignal.io — Thu, 16 Apr 2026 12:00:00 +0000

CVE-2026-6363 is a type confusion vulnerability affecting the V8 JavaScript engine within Google Chrome. This vulnerability resides in versions prior to 147.0.7727.101. A remote attacker could exploit this flaw by crafting a malicious HTML page designed to trigger the type confusion, leading to an out-of-bounds memory access. The Chromium security team rated this vulnerability as having medium severity. Successful exploitation could allow an attacker to potentially execute arbitrary code within the context of the browser. Defenders should prioritize patching vulnerable Chrome installations.

Attack Chain

The attacker crafts a malicious HTML page containing JavaScript code designed to trigger the type confusion vulnerability in the V8 engine.
The victim visits the malicious HTML page, either by directly navigating to it or by being redirected through a phishing attack or drive-by download.
The victim’s Chrome browser attempts to render the malicious HTML and execute the embedded JavaScript code.
The crafted JavaScript code exploits the type confusion vulnerability in the V8 engine, leading to an incorrect type assignment.
The type confusion results in an out-of-bounds memory access, allowing the attacker to read or write to arbitrary memory locations.
The attacker leverages the ability to read and write to arbitrary memory locations to inject and execute malicious code within the Chrome process.
The attacker gains control of the Chrome process and can perform actions such as stealing cookies, injecting keyloggers, or accessing sensitive information.
The attacker may pivot from the compromised browser to other systems on the network, depending on the environment and attacker objectives.

Impact

Successful exploitation of CVE-2026-6363 can lead to arbitrary code execution within the context of the Chrome browser. This could allow an attacker to steal sensitive information such as cookies, credentials, and browsing history. It can also lead to further compromise of the affected system and potentially other systems on the network. While the Chromium security severity is rated as Medium, the impact of successful exploitation can be significant.

Recommendation

Upgrade Google Chrome to version 147.0.7727.101 or later to patch CVE-2026-6363.
Deploy the Sigma rule Detect Suspicious Chrome Process Memory Access to detect potential exploitation attempts based on process memory access patterns.
Monitor web server logs for requests to unusual or suspicious HTML pages that could be used to deliver the exploit.

Google Chrome Turbofan Type Confusion Vulnerability (CVE-2026-6301)

hello@craftedsignal.io — Thu, 16 Apr 2026 12:00:00 +0000

CVE-2026-6301 describes a type confusion vulnerability affecting the Turbofan component in Google Chrome versions prior to 147.0.7727.101. The vulnerability allows a remote attacker to potentially execute arbitrary code within the Chrome sandbox. The attack is initiated by crafting a malicious HTML page that, when rendered by a vulnerable Chrome browser, triggers the type confusion in Turbofan. Successful exploitation could lead to arbitrary code execution, potentially allowing the attacker to gain control of the affected system or access sensitive information within the sandbox constraints. This vulnerability poses a significant risk to users browsing untrusted websites or opening malicious HTML files.

Attack Chain

Attacker crafts a malicious HTML page designed to trigger the type confusion vulnerability in Chrome’s Turbofan.
The victim visits the attacker-controlled website hosting the malicious HTML page or opens a locally stored HTML file.
Chrome’s rendering engine attempts to process the malicious HTML, triggering the Turbofan component responsible for JavaScript optimization.
The type confusion vulnerability is exploited due to the crafted HTML, leading to incorrect assumptions about object types during JavaScript execution.
The incorrect type assumptions allow the attacker to manipulate memory within the Chrome renderer process.
The attacker leverages the memory manipulation capabilities to inject and execute arbitrary code within the Chrome sandbox.
The attacker’s code executes with the privileges of the Chrome renderer process.

Impact

Successful exploitation of CVE-2026-6301 allows a remote attacker to execute arbitrary code within the Chrome sandbox. While the sandbox provides some level of isolation, a determined attacker may be able to escape the sandbox and gain further access to the underlying system. The impact includes potential data theft, installation of malware, or complete system compromise, depending on the attacker’s ability to bypass sandbox protections.

Recommendation

Upgrade Google Chrome to version 147.0.7727.101 or later to patch CVE-2026-6301 (reference: https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop_15.html).
Deploy the Sigma rule “Detect Suspicious Script Execution via Chrome” to identify potential exploitation attempts (reference: Sigma rule below).
Educate users about the risks of visiting untrusted websites and opening suspicious HTML files to prevent initial access.

Google Chrome Sandbox Escape via Uninitialized Use in Accessibility (CVE-2026-6311)

hello@craftedsignal.io — Thu, 16 Apr 2026 12:00:00 +0000

CVE-2026-6311 describes a high-severity vulnerability affecting Google Chrome on Windows. Specifically, an uninitialized use in the Accessibility component exists in versions prior to 147.0.7727.101. This flaw allows a remote attacker, who has already compromised the renderer process, to potentially escape the browser’s sandbox environment. The attacker exploits this vulnerability by crafting a malicious HTML page. Successful exploitation allows the attacker to execute code outside of the Chrome sandbox, potentially leading to arbitrary code execution on the underlying system. This vulnerability was patched in Chrome version 147.0.7727.101, released in April 2026. The Chromium project assigned a security severity of High to this issue.

Attack Chain

The attacker crafts a malicious HTML page designed to trigger the uninitialized use vulnerability in the Accessibility component.
The victim visits the malicious HTML page through a phishing link or drive-by download.
The HTML page is rendered by Google Chrome, which triggers the vulnerability in the Accessibility component.
Due to the uninitialized memory, the attacker gains control of a pointer or other sensitive data.
The attacker leverages this control to read from or write to arbitrary memory locations within the renderer process.
The attacker manipulates the memory of the renderer process to bypass sandbox restrictions.
The attacker gains the ability to execute arbitrary code outside of the Chrome sandbox.
The attacker can now perform actions such as installing malware, stealing sensitive data, or pivoting to other systems on the network.

Impact

Successful exploitation of CVE-2026-6311 allows an attacker to escape the Google Chrome sandbox on Windows systems. This can lead to arbitrary code execution on the victim’s machine, potentially leading to data theft, malware installation, or further compromise of the network. Given Chrome’s widespread use, this vulnerability poses a significant risk to a large number of users. While the exact number of victims is unknown, the potential impact is high due to the ability to bypass the browser’s security measures.

Recommendation

Upgrade Google Chrome to version 147.0.7727.101 or later to patch CVE-2026-6311 (reference: Overview).
Monitor process creation events for unexpected processes spawned by Chrome renderer processes, as a sign of successful sandbox escape (reference: Attack Chain step 8 and the “Detect Chrome Sandbox Escape via Child Process” Sigma rule).
Implement web filtering to block access to known malicious websites that may host exploit code targeting this vulnerability (reference: Attack Chain step 2).
Deploy the Sigma rules in this brief to your SIEM and tune for your environment.

Google Chrome GPU Out-of-Bounds Write Vulnerability (CVE-2026-6314)

hello@craftedsignal.io — Thu, 16 Apr 2026 12:00:00 +0000

CVE-2026-6314 is a security vulnerability affecting Google Chrome versions prior to 147.0.7727.101. The vulnerability resides within the GPU process and is classified as an out-of-bounds write. Successful exploitation could allow a remote attacker who has already compromised the GPU process to perform a sandbox escape, potentially gaining broader system access. The vulnerability can be triggered by a crafted HTML page. The Chromium security team has rated this vulnerability as High severity. This vulnerability was patched in the 147.0.7727.101 release.

Attack Chain

The attacker crafts a malicious HTML page designed to trigger the out-of-bounds write in the GPU process.
The victim visits the malicious HTML page using a vulnerable version of Google Chrome.
The HTML page leverages JavaScript to initiate a GPU-related operation that triggers the vulnerable code path.
The GPU process attempts to write data outside of the intended memory buffer due to a flaw in the code.
This out-of-bounds write corrupts memory within the GPU process.
The attacker leverages the memory corruption to overwrite critical data structures or code within the GPU process.
By manipulating the GPU process’s memory, the attacker attempts to escape the Chrome sandbox.
If successful, the attacker gains the ability to execute arbitrary code outside the sandbox, potentially compromising the user’s system.

Impact

Successful exploitation of CVE-2026-6314 allows an attacker to escape the Chrome sandbox. This allows the attacker to potentially execute arbitrary code on the victim’s machine. While the exact number of victims is unknown, all users of Google Chrome versions prior to 147.0.7727.101 are potentially vulnerable. A successful sandbox escape could lead to data theft, malware installation, or other malicious activities, depending on the privileges of the compromised user.

Recommendation

Upgrade Google Chrome to version 147.0.7727.101 or later to patch CVE-2026-6314.
Deploy the Sigma rule Detect Chrome GPU Process Crash to identify potential exploitation attempts based on abnormal process termination.
Monitor web server logs for requests to suspicious HTML pages (cs-uri-query, cs-uri-stem) that could be used to deliver the exploit.

Google Chrome CSS Use-After-Free Vulnerability (CVE-2026-6300)

hello@craftedsignal.io — Thu, 16 Apr 2026 12:00:00 +0000

CVE-2026-6300 is a use-after-free vulnerability affecting the CSS engine in Google Chrome versions prior to 147.0.7727.101. Successful exploitation allows a remote attacker to execute arbitrary code inside a sandbox environment. The vulnerability is triggered when processing a maliciously crafted HTML page. Google Chrome users who have not updated to version 147.0.7727.101 or later are vulnerable. Given the widespread use of Chrome, this vulnerability poses a significant risk.

Attack Chain

Attacker crafts a malicious HTML page containing a specific CSS payload designed to trigger the use-after-free condition.
The victim visits the attacker-controlled website or opens the malicious HTML page via phishing or other social engineering techniques.
Chrome’s rendering engine processes the HTML and CSS code.
The vulnerability in the CSS engine is triggered during the processing of the malicious CSS, leading to memory corruption.
The attacker leverages the use-after-free condition to overwrite memory and gain control of program execution.
The attacker executes arbitrary code within the Chrome sandbox.
The attacker potentially escalates privileges or escapes the sandbox environment, depending on further exploitation techniques.
The attacker performs malicious actions, such as installing malware, stealing sensitive data, or further compromising the system.

Impact

Successful exploitation of CVE-2026-6300 allows a remote attacker to execute arbitrary code within the Chrome sandbox. While the sandbox provides a degree of isolation, determined attackers may be able to escalate privileges or escape the sandbox entirely, leading to full system compromise. This could allow for the installation of malware, theft of sensitive data, or other malicious activities. Given the widespread use of Chrome, a successful exploit could potentially affect millions of users.

Recommendation

Update Google Chrome to version 147.0.7727.101 or later to patch CVE-2026-6300.
Deploy the following Sigma rule to detect potential exploitation attempts based on suspicious process creation events related to Chrome: title: "Detect Possible Chrome UAF Exploitation"
Enable process creation logging for Google Chrome to ensure the Sigma rule functions correctly.

Google Chrome Proxy Use-After-Free Vulnerability (CVE-2026-6297)

hello@craftedsignal.io — Wed, 15 Apr 2026 20:16:38 +0000

CVE-2026-6297 is a critical security flaw affecting Google Chrome users. The vulnerability, a use-after-free issue within the Proxy component, exists in versions prior to 147.0.7727.101. Successfully exploiting this vulnerability would allow an attacker positioned in a privileged network location to potentially break out of Chrome’s sandbox. The attack vector involves a specially crafted HTML page delivered to the victim. This is a critical vulnerability because a successful exploit could lead to arbitrary code execution within the context of the user running Chrome, potentially leading to data theft, system compromise, or further lateral movement within a network.

Attack Chain

Attacker gains a privileged network position, such as through ARP poisoning or DNS spoofing.
The victim user browses to a website or is redirected to a website controlled by the attacker.
The attacker injects a malicious HTML page into the victim’s browser session.
The malicious HTML page leverages JavaScript to trigger the use-after-free vulnerability in Chrome’s Proxy component.
The use-after-free condition allows the attacker to corrupt memory within the Chrome process.
By carefully crafting the memory corruption, the attacker gains control of program execution.
The attacker executes arbitrary code within the Chrome sandbox.
The attacker leverages the initial code execution within the sandbox to attempt a sandbox escape and gain access to the underlying operating system.

Impact

Successful exploitation of CVE-2026-6297 allows an attacker in a privileged network position to perform a sandbox escape. This can lead to arbitrary code execution on the user’s machine, potentially compromising sensitive data, allowing for further exploitation of the system, and enabling lateral movement within the network. Due to the widespread use of Chrome, this vulnerability has the potential to affect a large number of users across various sectors.

Recommendation

Upgrade Google Chrome to version 147.0.7727.101 or later to patch CVE-2026-6297.
Deploy the Sigma rule “Detect Chrome Sandbox Escape via Crafted HTML” to identify potential exploitation attempts within your environment.
Monitor network traffic for signs of ARP poisoning or DNS spoofing, which are common prerequisites for exploiting vulnerabilities like CVE-2026-6297.

Google Chrome Device Bound Session Credentials (DBSC) Mitigates Cookie Theft

hello@craftedsignal.io — Fri, 10 Apr 2026 07:50:52 +0000

Google has introduced Device Bound Session Credentials (DBSC) in Chrome 146 for Windows to combat session cookie theft, with a macOS version planned for a future release. This feature, initially announced in April 2024, aims to protect user accounts from compromise by rendering stolen authentication cookies useless. Session cookies are often stolen using information-stealing malware and traded on cybercrime platforms, allowing attackers to access accounts without passwords. DBSC mitigates this threat by cryptographically binding authentication sessions to the user’s device, leveraging hardware-backed security modules to generate unique public/private key pairs. This ensures that even if cookies are exfiltrated, they quickly expire and become unusable, enhancing overall security for Chrome users. Websites can adopt DBSC via registration and refresh endpoints.

Attack Chain

The attacker deploys information-stealing malware on a victim’s Windows or macOS system.
The malware gains access to the browser’s local files and memory, where authentication cookies are stored.
The malware exfiltrates the stolen session cookies to a command-and-control server.
The attacker attempts to use the stolen session cookies to access the victim’s accounts on various web platforms.
If DBSC is not implemented, the attacker successfully gains unauthorized access to the user’s accounts.
If DBSC is implemented, Chrome checks for device-bound credentials.
The web server requires proof of possession of the private key associated with the session. Since the attacker lacks this key, the exfiltrated cookies are useless.
The attacker’s attempt to access the account is blocked, preventing unauthorized access.

Impact

The successful exploitation of stolen session cookies can lead to unauthorized access to user accounts across various platforms, potentially resulting in data breaches, financial loss, and reputational damage. While the article does not cite specific victim counts or sectors affected, the widespread use of Chrome and the prevalence of cookie-stealing malware makes this a significant threat. The implementation of DBSC aims to significantly reduce the risk of account compromise via stolen cookies.

Recommendation

Detection engineers should familiarize themselves with the concept and deployment of Device Bound Session Credentials (DBSC) to understand its impact on existing detection strategies.
Monitor for the presence of information-stealing malware that targets browser cookie storage locations using file_event and process_creation log sources.
Consider deploying the Sigma rule to detect anomalous processes accessing browser cookie storage locations to identify potential cookie theft attempts.

Google Chrome WebAudio Heap Buffer Overflow Vulnerability (CVE-2026-4673)

hello@craftedsignal.io — Wed, 25 Mar 2026 12:00:00 +0000

CVE-2026-4673 is a heap buffer overflow vulnerability affecting the WebAudio component of Google Chrome. The vulnerability exists in versions prior to 146.0.7680.165. A remote attacker could exploit this vulnerability by crafting a malicious HTML page designed to trigger an out-of-bounds memory write. The Chromium security team has rated this vulnerability as High severity. Successful exploitation could allow an attacker to potentially execute arbitrary code within the context of the Chrome…

CVE-2026-4675: Google Chrome WebGL Heap Buffer Overflow Vulnerability

hello@craftedsignal.io — Wed, 25 Mar 2026 12:00:00 +0000

CVE-2026-4675 describes a heap buffer overflow vulnerability affecting the WebGL component of Google Chrome. Specifically, versions prior to 146.0.7680.165 are susceptible. An attacker can exploit this vulnerability by crafting a malicious HTML page that, when rendered by a vulnerable Chrome browser, triggers an out-of-bounds memory read due to the heap buffer overflow in WebGL. The Chromium security team rated this as a “High” severity issue. Successful exploitation can lead to information…

Google Chrome WebGPU Use-After-Free Vulnerability (CVE-2026-4678)