Analyst readout for executives and security teams
Plain-English summary
CVE-2026-7338 is a high-severity use-after-free vulnerability in Google Chrome's Cast component. The bundle states that Chrome versions prior to 147.0.7727.138 could allow an attacker on the same local network segment to potentially trigger heap corruption using malicious network traffic.
Executive priority
Patch promptly through normal emergency browser update processes, with priority for endpoints on shared or less trusted local networks. No active exploitation is evidenced in the supplied bundle, but the impact is high and the flaw requires no user interaction.
Technical view
The issue is classified as CWE-416, use after free, in Google Chrome Cast. The supplied CVSS v3.1 score is 7.5 with vector CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H, meaning exploitation is adjacent-network only, high complexity, requires no privileges or user interaction, and could have high confidentiality, integrity, and availability impact. The source bundle references Google Chrome Stable Channel release information and a Chromium issue.
Likely exposure
Organizations with desktop Chrome installations older than 147.0.7727.138 may be exposed where an attacker can reach the same local network segment as affected systems. Exposure is more constrained than internet-facing browser flaws because the attack vector is adjacent network, but no user interaction or authentication is indicated in the CVSS vector.
Exploitation context
The provided bundle does not show CISA KEV listing and does not include evidence of active exploitation. Exploitation is described only as potentially possible from the local network segment via malicious network traffic that targets heap corruption in Chrome's Cast component.
Researcher notes
Assessment is limited to the supplied CVE source bundle. The affected-version data in the bundle lists Google Chrome and references 147.0.7727.138 while the description says versions prior to 147.0.7727.138 are affected; this analysis treats 147.0.7727.138 as the vendor-indicated update threshold and recommends validating against Google guidance. No exploit details, indicators, or proof-of-concept information are provided in the bundle.
Mitigation direction
- Update Google Chrome to 147.0.7727.138 or later where available, based on the bundle description that versions prior to 147.0.7727.138 are affected.
- If enterprise update channels, OS package repositories, or managed browser policies delay that version, check Google Chrome vendor guidance and release notes before assuming a specific fixed build is deployed.
- Prioritize managed endpoints on shared, guest, corporate, or otherwise untrusted local networks.
- Use network segmentation and local network access controls to reduce adjacent-network exposure while patching is completed.
Validation and detection
- Inventory Chrome versions across managed endpoints and identify installations below 147.0.7727.138.
- Confirm auto-update or enterprise browser management has successfully deployed the fixed or later version.
- Check that high-risk network segments, including guest Wi-Fi and shared office networks, do not allow unnecessary lateral local-network reachability to user endpoints.
- Review vulnerability scanner results after browser updates complete; do not treat the issue as remediated solely because an update job was scheduled.
Public sources used
Based on public source material and reviewed before publication.
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
CWE-416: Exact CWE lookup
Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
Open ATT&CK lookupCVE-2026-7338 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
Open ATT&CK lookup- Severity
- High
- CVSS
- 7.5 (3.1)
- Known Exploited
- No
- Published
Vector: CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CNA and ADP enrichment extracted from CVE v5
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
CVSS vector scores
1 official scoreWe collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H 1.6 5.9 Primary CVE score Vulnerability scoring details
Base CVSS 3.1 score
7.5 HighVector: CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Source materials
- CVE List V5 source CVE List V5
- https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop_28.html CVE reference
- https://issues.chromium.org/issues/502449857 CVE reference
Products and packages named in the record
CWE details
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
Use After Free
Use After Free represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.