Google released Chrome 147.0.7727.138 on April 28, 2026, fixing CVE-2026-7338—a high-severity use-after-free vulnerability in the Cast component of Chromium. The flaw allows attackers on the local network to execute arbitrary code by sending maliciously crafted Cast protocol messages. With an estimated 3 billion Chrome users worldwide, this patch closes a dangerous door that could turn a compromised smart TV or streaming stick into a launchpad for lateral attacks against Windows workstations, laptops, and servers sharing the same Wi-Fi or Ethernet segment.

Security researchers at Google's Project Zero disclosed the bug after discovering it could be triggered remotely by any device advertising itself as a Cast receiver. Exploitation requires no user interaction beyond having Chrome open and the Cast service running—the default for most installations. The vulnerability sat in the CastMediaRouteProvider component, which parses JSON payloads from devices discovered via mDNS (multicast DNS) and the DIAL protocol, making every Chrome browser on the LAN a potential target the moment it detects a rogue Cast endpoint.

Understanding Use-After-Free in Chromium's Cast Component

Use-after-free (UAF) vulnerabilities occur when a program continues to reference memory that has already been freed. In modern C++ codebases like Chromium, careful ownership semantics usually prevent this, but the Cast module's media route management proved a subtle exception. The bug manifested when Chrome processed a rapid sequence of Cast device removal and re-advertising events, causing a dangling pointer to the previous route description object to persist in the route provider's internal map.

The Cast component handles device discovery, session initiation, and media transfer for Chromecast, Android TV, Nest Hub, and other Google Cast-enabled devices. It parses SSDP and mDNS service announcements and maintains a list of available routes. Each route entry holds metadata—device name, capabilities, and network endpoint—referenced by multiple threads. When a device disappears, Chrome removes the route; but due to a race condition between the removal handler and an in-flight network response callback, the callback could still attempt to read the freed memory. If an attacker controlled the data that landed in that reclaimed heap space, they could redirect execution to shellcode.

Technical Breakdown: The Race Condition

  1. Chrome's CastMediaRouteProvider subscribes to mDNS to detect new Cast devices. When a device sends a _googlecast._tcp service advertisement, Chrome creates a MediaRoute object and adds it to the provider's map.
  2. The provider also maintains asynchronous DNS-SD queries to track device liveness. If a device stops responding, a timer fires and calls RemoveRoute, which frees the route object.
  3. However, a network callback initiated before the removal—such as a DIAL app-list response—still held a raw pointer to the freed route. The callback eventually executes and accesses the stale pointer, triggering a use-after-free.

An attacker on the local network can weaponize this by sending a burst of mDNS packets advertising a fake Cast device, then immediately sending a removal notice, followed quickly by a second advertisement crafted to land specially crafted data in the freed memory block. The heap manipulation requires careful grooming but is achievable within a few seconds. This makes the vulnerability especially dangerous in shared office spaces, coffee shops, academic campuses, and smart home environments where dozens of devices share the same broadcast domain.

Attack Vector: From Living Room to Corporate Network

CVE-2026-7338's attack surface is uniquely accessible: any device capable of sending mDNS packets on the local network can masquerade as a Cast receiver. A malicious app on a compromised IoT gadget, a rogue Raspberry Pi plugged into an Ethernet jack, or even a script running on an attacker's laptop connected to the guest Wi-Fi can spew the malicious sequence. Once the attacker achieves code execution within Chrome's sandboxed renderer process, they still need a sandbox escape to compromise the host, but chaining this with a separate vulnerability—not uncommon in Chromium’s history—could lead to full system takeover.

For Windows users, the impact is amplified by Chrome's integration with the Windows notification system and its ability to launch media controls on the lock screen. The Cast service runs even when Chrome windows are minimized, processing mDNS traffic in the background. Users who leave Chrome running for extended periods without rebooting—common on developer machines, always-on kiosks, and terminal servers—are at heightened risk. Because the bug fires during route updates, exploitation leaves almost no visible trace; no pop-up, no permission prompt, just a silent compromise.

Real-World Implications

  • Home users: Smart TVs, streaming dongles, and gaming consoles that support Cast could be exploited if an attacker compromises the home network via a vulnerable router or IoT device. The Cast vulnerability then becomes a pivot point to attack laptops and desktops.
  • Enterprise environments: Open-plan offices with Chromecast devices for conference rooms are prime targets. A visiting vendor's laptop could scan the network, impersonate a Cast receiver, and infect Chrome instances on multiple machines in minutes.
  • Hospitality and retail: Hotels, cafes, and retail stores offering Chromecast-based entertainment systems to guests inadvertently expose all patrons' laptops to this flaw until Chrome is updated.

The local network requirement mitigates internet-based attacks, but the prevalence of cheap, insecure IoT devices makes LAN exploitation a realistic threat vector. CVE-2026-7338 earned a CVSS score of 8.6 (High), reflecting network adjacency as the only limiting factor.

The Fix: Chrome 147.0.7727.138 and Chromium's Defensive Overhaul

Google's patch addresses the root cause by replacing the raw pointer with a weak reference (base::WeakPtr<MediaRoute>) in the callback context. This pattern, already used elsewhere in Chromium, ensures that the callback first checks if the WeakPtr is valid before accessing the route object. If the route has been freed, the callback simply returns early, preventing any access to freed memory. The change touched fewer than 20 lines of code in cast_media_route_provider.cc and media_route.h, but required extensive fuzzing to confirm no similar races existed.

Additionally, the Chrome 147 build strengthens the Cast subsystem with these defensive measures:

  • Seccomp sandbox hardening: The utility process that handles Cast mDNS parsing now operates with stricter filtering, limiting the impact of any future UAFs.
  • Rate limiting for device updates: Chrome now ignores rapid add/remove sequences from the same MAC address within a short window, making heap grooming harder.
  • Improved heap partitioning: The allocator now places media route metadata in a separate partition, reducing the likelihood of attacker-controlled data adjacent to freed route objects.

The patch also ships with an updated chrome://components version for the Cast extension, which must be updated alongside the browser. Users will see "Cast Media Route Provider" version 1.2.3.15 under Chrome Components after the update.

Update Process for Windows Users

Chrome updates itself automatically on Windows, but the rollout can take days. To immediately install version 147.0.7727.138:

  1. Open Chrome, click the three-dot menu > Help > About Google Chrome.
  2. Chrome will check for updates and download the new version.
  3. Click "Relaunch" to apply. Ensure you save any work in other tabs first.

Enterprise administrators can deploy the update via Group Policy or WSUS using the MSI installer from the Chrome Enterprise release page. The patch is also available in the stable channel for ChromeOS, macOS, and Linux.

Mitigation Beyond Patching: LAN Segmentation and Hardening

While updating Chrome eliminates the vulnerability, security-conscious users can reduce exposure to similar LAN-based attacks through network architecture and browser configuration. CVE-2026-7338 is a reminder that local network services—even ones as benign as media streaming—expand the browser's attack surface.

1. Disable Cast When Not Needed

For users who never cast media, disabling Chrome's built-in Cast functionality is a one-click way to remove the attack surface entirely.

  • Navigate to chrome://flags/#media-router and set it to "Disabled."
  • Alternatively, block the internal extension via Group Policy by blacklisting *://*.google.com/chrome/cast.

Disabling the media router stops Chrome from listening to mDNS for Cast devices and terminates the DIAL server, effectively shutting down the vulnerable component.

2. Segment Your Local Area Network

Enterprise and advanced home users should isolate IoT devices, smart TVs, and streaming gadgets on a separate VLAN or subnet. This prevents a compromised lightbulb or thermostat from reaching the bridge device that manages Cast traffic. For home users, many modern routers offer a "Guest Network" feature that isolates wireless clients from the main LAN—putting all Cast devices there limits lateral movement.

3. Deploy mDNS Filtering

On managed networks, switch-level ACLs can block mDNS (port 5353, multicast address 224.0.0.251) between user subnets and device subnets. Brocade, Cisco, and Aruba switches support mDNS gateway services that selectively forward only approved services, preventing rogue advertisements from reaching Chrome instances.

4. Enable Advanced Browser Protections

Windows Enterprise users can leverage Microsoft Defender Application Guard for Chrome, which opens the browser in a Hyper-V-isolated container. Even if the Cast bug leads to code execution, the sandbox escape is far harder because the broker process is virtualized. Combined with AppLocker policies that prevent unsigned executables from launching, the attack chain becomes exceedingly difficult.

The Bigger Picture: Chromium's Expanding LAN Footprint

CVE-2026-7338 isn't the first use-after-free in Chrome's network services, but it highlights a growing trend: browsers are increasingly deeply integrated into local network ecosystems. WebUSB, WebMIDI, WebBluetooth, and Cast protocols mean that a browser is no longer just a window to the internet—it's a local network peer with privileged access to nearby devices. Each new protocol adds complexity and potential memory-safety bugs.

Google's continued investment in Rust for new Chromium components aims to eliminate these classes of bugs at the language level, but rewriting legacy C++ modules like Cast takes years. In the interim, vulnerabilities like this will keep surfacing, making it essential for users to adopt a defense-in-depth posture: update promptly, disable unused features, and segment the network.

What's Next: Chromium's Memory Safety Roadmap

At the Google I/O 2026 conference, the Chrome team outlined an accelerated migration to Rust for network-facing parsers. The mDNS parser used by Cast is slated for a Rust rewrite in Chromium 148, with the DIAL parser following in 150. These efforts should permanently eliminate use-after-free and buffer overflow issues in those components. But until then, vigilance and patch discipline remain the best defenses.

Conclusion: Immediate Action Required

CVE-2026-7338 is a stark example of a high-impact vulnerability requiring no user interaction and easily triggered by any device on the local network. With Chrome 147.0.7727.138 now available, Windows users should update immediately. For those managing fleets of machines, this bug deserves an emergency patch cycle. The combination of a local-network attack vector and a memory corruption flaw in a silently running service makes it a prime candidate for active exploitation—if it hasn't happened already.

Disable Cast if you don't use it, isolate your IoT devices, and keep an eye on the Chrome release channel for further hardening. Your browser is only as secure as the least secure thing on your network.