Google disclosed CVE-2026-7346 on April 28, 2026, a high-severity vulnerability in Chrome’s Tint rendering engine that could let a remote attacker trigger out-of-bounds memory access. The flaw was patched in Chrome version 147.0.7727.138, and every Windows user running Chrome needs to update immediately.

The CVE-2026-7346 Disclosure

Google’s security team published the advisory for CVE-2026-7346 as part of the stable channel update for desktop platforms. The vulnerability lives inside Tint, a UI template engine that Chrome uses to render internal pages, settings, and certain WebUI surfaces. An attacker who convinced a user to visit a malicious webpage could exploit the flaw to perform an out-of-bounds memory read or write, potentially leading to arbitrary code execution. Google has classified the bug as high severity, reserving its critical rating for bugs that allow complete system compromise without significant user interaction.

Details remain sparse—as usual, Google withholds technical specifics until most users have applied the patch. What we know is that the vulnerability involves improper bounds checking in Tint’s memory handling when processing crafted input. This type of bug is a staple in browser security: an out-of-bounds access can corrupt heap memory, bypass address space layout randomization (ASLR), and hand an attacker the ability to run shellcode.

Why Tint Matters

Tint is not a casual JavaScript library; it’s a core part of Chrome’s own UI. When you open a new tab page, the settings panel, or the download manager, Chrome uses Tint to assemble and render that interface. These internal pages often run with elevated privileges—they can access chrome:// APIs and make calls that normal web pages cannot. A flaw in Tint therefore gives an attacker a path to pivot from a malicious website into the browser’s internal plumbing, sidestepping many sandbox protections.

Chrome’s architecture typically isolates WebUI pages in their own processes under the site isolation model. But a vulnerability in the template engine could cross that boundary if the engine parses data incorrectly. Imagine a downloaded HTML file that gets previewed, a phishing page crafted to load internal chrome URLs, or even a malicious extension that abuses Tint—each vector could trigger the out-of-bounds access. The exact attack scenario remains untold, but the potential impact stands as high as any other memory corruption in a privileged context.

Out-of-Bounds Memory Access: The Mechanics

Memory safety bugs remain the most common vector for browser exploitation. An out-of-bounds access happens when a program tries to read from or write to a memory location outside the buffer it allocated. In Chrome, the renderer process runs inside a sandbox on Windows, meaning the immediate damage from an out-of-bounds write might be limited to renderer crash. But sophisticated attackers chain multiple bugs—often combining a type confusion or use-after-free with a sandbox escape—to achieve remote code execution with the same privileges as the logged-in user.

CVE-2026-7346 specifically mentions out-of-bounds memory access in Tint. Without the exact details, we can infer it likely involves an array or buffer overflow when Tint processes certain HTML or JSON data. If an attacker can control the size or index of a write, they can overwrite function pointers or vtable entries. On Windows, this could mean injecting shellcode and, in the worst case, gaining system-level access if paired with a privilege escalation bug.

What’s Fixed in Chrome 147.0.7727.138

The patch arrived in version 147.0.7727.138 for Windows, Mac, and Linux. Google’s update notes for the stable channel confirm that the release fixes CVE-2026-7346 alongside other security issues. The fix likely enforces proper bounds checking in the vulnerable Tint function, adding a size validation before memory operations. Users can verify they have the patched version by navigating to chrome://settings/help or checking the build number in About Chrome.

This is not the first Chrome update in the 147 cycle—Google typically ships major version bumps every four weeks, with minor patches for security in between. The 147 branch reached stable in early April 2026, so this late-cycle update specifically targets the high-risk CVE. For Windows users, the update installs automatically in the background, but a full browser restart is needed to activate the fix. If you see a green, orange, or red arrow in Chrome’s menu, that’s the update notification. Click it and relaunch.

How to Force the Update on Windows

Though Chrome will eventually update itself, you can’t afford to wait. To manually pull the patch:

  1. Open Chrome.
  2. Click the three-dot menu in the top-right corner.
  3. Select Help > About Google Chrome.
  4. Chrome will check for updates. If it finds version 147.0.7727.138, it will download and prompt you to relaunch.
  5. Restart the browser.

If your organization uses deployment tools like Microsoft Intune, SCCM, or Group Policy, you can push the update through admin policies. The Chrome Enterprise release notes provide MSI installers and policy templates for mass deployment. For individual users, the About page is the fastest route. Edge users on Windows should also pay attention: Microsoft Edge builds on Chromium and often inherits components like Tint. While Edge version numbering differs, check for updates by navigating to edge://settings/help. Microsoft typically releases a corresponding fix within a day or two.

The Risk for Windows Enthusiasts

Windows users are a prime target. Chrome holds the largest browser market share on the platform, and many Windows users run Chrome for both personal and professional tasks. A vulnerability that can be triggered simply by visiting a malicious link means drive-by attacks are plausible. Malvertising, watering-hole attacks on forums frequented by Windows enthusiasts, or compromised document downloads can all act as delivery mechanisms.

Because Windows 10 and 11 are still the dominant desktop operating systems, attackers craft their exploits with Windows call stacks in mind. An out-of-bounds write in Chrome might leverage Windows-specific memory allocation patterns or jump to DLLs like kernel32.dll. The sandbox on Windows is robust, but it’s not impenetrable—recent years have shown a steady stream of in-the-wild chains that combine Chrome renderer RCE with Win32k or ALPC sandbox escapes. A patch for a high-severity bug should be treated as if it’s actively exploited, even when Google says otherwise.

Chromium Ecosystem Implications

CVE-2026-7346 isn’t limited to Chrome. The open-source Chromium project underlies dozens of browsers: Microsoft Edge, Brave, Opera, Vivaldi, and many Electron-based applications like Slack, Discord, and Visual Studio Code. All of these may incorporate the Tint component. The timeline for downstream patches varies. Microsoft’s Edge team coordinates with Google on shared vulnerabilities, so an Edge patch often ships within 24–48 hours. Brave and Opera typically pull the fixed Chromium version within a week. Electron apps are trickier—they bundle Chromium, and their update cycles depend on the app vendor.

If you use any Chromium-based software that renders web content or processes WebUI templates, monitor for updates. For apps that don’t auto-update, you may need to manually download the latest installer. Windows enthusiasts who run nightly or canary builds of Chromium are likely already on a version that includes the fix, but stable channel users are at risk until they update.

Google’s Chrome Security Track Record

Google patches Chrome aggressively, and the number of high-severity CVEs reported each year runs into the dozens. The company’s Project Zero and external researchers continuously fuzz and audit the browser’s codebase, leading to a steady drumbeat of fixes. In 2025, Google fixed over 150 security bugs in Chrome, with more than a third rated high or critical. The Tint vulnerability is yet another memory safety issue, reinforcing the argument that C/C++ code remains a liability. Google has been working to phase out unsafe memory operations through projects like the MiraclePtr hardening and the gradual migration to Rust in Chromium, but Tint likely still relies on raw pointer arithmetic.

The U.S. government’s call for software vendors to adopt memory-safe languages by 2026 underscores the urgency. The Cybersecurity and Infrastructure Security Agency (CISA) has added Chrome CVEs to its Known Exploited Vulnerabilities catalog multiple times. While CVE-2026-7346 isn’t yet listed, organizations that use Chrome should apply the patch as if it will appear there soon.

What You Should Do Right Now

  1. Check your Chrome version. Type chrome://version in the address bar. If the number is older than 147.0.7727.138, you are vulnerable.
  2. Restart Chrome after updating. Many Windows users leave Chrome open for days; the update won’t activate until you relaunch.
  3. Enable automatic updates if you had disabled them (common in enterprise environments). Controlled updates are fine, but make sure you approve this specific version.
  4. Review your extensions. A compromised extension could potentially abuse Tint as well. Remove any you don’t recognize.
  5. Watch for Edge and other Chromium browser updates. Check edge://settings/help and similar pages in Brave, Opera, etc.

If you manage a network of Windows machines, use Chrome’s policy to force the update within 24 hours. For home users, the green update arrow should be all the encouragement you need.

The Bigger Picture: Browser as an Attack Surface

Every browser update that fixes a memory corruption bug reminds us that the web is hostile. Browsers are the most exposed piece of software on a Windows PC—they download and execute untrusted code every time you click a link. Sandboxing, site isolation, and constant patching reduce the risk, but zero-days continue to surface. For Windows users, pairing Chrome with Microsoft Defender Application Guard or using a dedicated security browser can add layers of defense, but nothing substitutes for immediate patching.

CVE-2026-7346 may not make headlines like a zero-day under active attack, but the difference between a publicly disclosed bug and an exploited one is often just hours. The patch is available. Update now.