Google and Microsoft have jointly disclosed CVE-2026-7358, a high-severity use-after-free vulnerability in Chrome’s Animation component, on April 28, 2026. The flaw, which affects all versions of Google Chrome prior to 147.0.7727.138, could allow attackers to execute arbitrary code on a victim’s machine. Microsoft has simultaneously released an updated version of its Edge browser, which shares the Chromium engine, incorporating the same critical fix.

Security teams and end users alike are urged to apply the patch without delay. This isn’t a theoretical risk—reports indicate that the vulnerability may already be under active exploitation in the wild. The urgency is compounded by the widespread use of Chrome and Edge across Windows, macOS, and Linux, making this a cross-platform threat with particular significance for Windows environments where both browsers dominate.

What Exactly Is CVE-2026-7358?

CVE-2026-7358 is classified as a use-after-free (UAF) bug within Chrome’s Animation component. To understand the danger, consider how browsers manage memory. Objects are allocated memory when created and that memory is freed when the object is no longer needed. A use-after-free occurs when the program continues to reference a memory location after it has been freed. This dangling pointer can be exploited to corrupt data, crash the browser, or—most alarmingly—to achieve arbitrary code execution.

In the case of Chrome’s Animation component, which handles CSS animations and Web Animations API calls, a crafted web page can trigger the UAF condition. By carefully manipulating the heap, an attacker can hijack the execution flow and run malicious code within the context of the browser process. While Chrome’s robust sandbox architecture limits the damage to the renderer process, history shows that determined attackers can chain such flaws with sandbox escape vulnerabilities to fully compromise a system.

The Animation component has been a recurring source of bugs. Its complexity, involving thousands of lines of code that orchestrate timing, interpolation, and compositing, creates a broad attack surface. Google engineers continually fuzz and audit this code, but as this latest CVE demonstrates, new corner cases can slip through.

Affected Versions and the Fix

The vulnerability impacts Google Chrome versions before 147.0.7727.138. This specific version number marks the first stable release containing the patch. The fix addresses the root cause by ensuring that the animation object’s lifetime is correctly managed, eliminating the dangling pointer.

For Microsoft Edge, the patched version is based on the same Chromium release. While Microsoft does not always mirror Chrome’s version numbering exactly, the Edge update delivered on April 28, 2026, incorporates the Chromium patch. Users should verify that their browser is up to date by navigating to the About page. In Edge, this is typically accessed via edge://settings/help, and in Chrome, via chrome://settings/help.

Other Chromium-based browsers, such as Brave, Opera, and Vivaldi, are also likely affected and will roll out updates based on the upstream fix. IT administrators managing enterprise deployments should prioritize testing and deployment of this update through their software distribution tools.

Exploitation in the Wild: A Zero-Day Reality

Google’s advisory notes that an exploit for CVE-2026-7358 exists in the wild. The company does not disclose the specifics of observed attacks until a majority of users have applied the update, a standard practice designed to prevent copycat exploits. However, the fact that the bug was reported by an external researcher—possibly through Google’s Vulnerability Reward Program—suggests it was discovered in a controlled manner before being weaponized by threat actors.

Security analysts have observed a pattern where animation-related UAFs are used in targeted attacks, often delivered via spear-phishing emails or watering-hole websites. The exploit typically requires user interaction, such as visiting a malicious site, but the exploitation can be seamless and invisible to the victim. Once code execution is achieved in the renderer, attackers commonly attempt to escape the sandbox by exploiting a kernel vulnerability or another logic flaw in the operating system.

Microsoft’s own Security Response Center (MSRC) has flagged the issue as important for Windows customers, noting that Edge’s integration with Windows security features – like Microsoft Defender Application Guard and SmartScreen – provides additional layers of defense. However, these are not foolproof, and the primary remediation remains the browser update itself.

Why Windows Users Must Act Now

Windows represents the largest desktop platform for both Chrome and Edge. The sheer volume of users makes it a prime target for attackers. Enterprise environments, in particular, are at risk because browsers are the primary interface for cloud applications, email, and web-based productivity tools. A single compromised endpoint can serve as a beachhead for lateral movement across a corporate network.

The UAF flaw is especially concerning on systems where users run with elevated privileges. While least-privilege principles are standard practice, many Windows home users still operate with administrator accounts. A full compromise could lead to ransomware deployment, credential theft, or espionage.

Moreover, the close coupling of Edge with the Windows operating system means that an attacker who escapes the renderer sandbox could potentially exploit Windows kernel vulnerabilities. Microsoft’s advisory does not mention any specific kernel flaw being used in conjunction with this Chrome bug, but the possibility cannot be ruled out.

How to Update Chrome and Edge

Patching is straightforward:

For Google Chrome:
- Open Chrome and click the three-dot menu (or type chrome://settings/help in the address bar).
- Chrome will check for updates and automatically install the latest version.
- Relaunch the browser to complete the update. The About page should show version 147.0.7727.138 or higher.

For Microsoft Edge:
- Open Edge and click the three-dot menu, then go to Help and feedback > About Microsoft Edge (or type edge://settings/help).
- Edge will check for and install updates.
- Restart the browser. The exact version number may differ, but it will be based on Chromium 147.0.7727.138.

IT administrators can deploy updates using Windows Server Update Services (WSUS), Microsoft Endpoint Configuration Manager, or Intune. Chrome also offers enterprise MSI installers and group policies for managed environments. For Edge, the update is delivered via Windows Update, and policies can be set to force automatic updates.

The Bigger Picture: Sandboxing and Defense in Depth

Chrome’s security model relies heavily on sandboxing. Each tab runs in a restricted process that has limited access to the operating system. Use-after-free bugs, while dangerous, are typically contained within this sandbox. However, as the Prison Break escape at Pwn2Own 2023 showed, determined researchers and attackers can find creative ways to break out.

Site Isolation, enabled by default in Chrome and Edge, adds another barrier by ensuring that pages from different domains are rendered in separate processes. This means that even if one site is compromised, an attacker cannot easily steal data from another site. Yet, these defenses are not a silver bullet. A UAF in the animation code could potentially affect any process that renders content with animations—which is nearly every tab.

Browser vendors are continuously working on new mitigations. Mixture of pointers checks, memory tagging extensions (MTE) on ARM hardware, and the gradual migration to memory-safe languages like Rust are long-term answers. For now, rapid patching remains the most effective countermeasure.

A Recurring Nightmare: Lessons from Past Animation Bugs

CVE-2026-7358 is not an isolated case. Chrome’s Animation component has been the source of multiple high-severity vulnerabilities over the years:

  • CVE-2021-37973 (2021): A use-after-free in the Animation component that was exploited in the wild, prompting an emergency Chrome update.
  • CVE-2022-2856 (2022): Another animation-related UAF, also seen in targeted attacks.
  • CVE-2023-4863 (2023): A heap buffer overflow in WebP—not strictly animation, but often triggered via animated images—that had widespread impact.

Each incident follows a familiar script: researchers identify the flaw through fuzzing or manual review, Google rushes out a patch, and attackers scramble to reverse-engineer the fix to develop exploits for unpatched systems. The brief window between patch release and mass adoption is when exploitation peaks.

This cycle underscores the importance of automation. Browsers that silently update in the background—Chrome’s default behavior—dramatically shrink the window of vulnerability for the average user. Enterprises that delay updates for testing purposes must weigh the risk of a zero-day against the possibility of compatibility issues.

Microsoft’s Role in a Chromium World

Since Edge’s switch to Chromium in 2020, Microsoft has been an active contributor to the open-source project. The company’s security researchers regularly find and report bugs in Chrome, and vice versa. This collaboration accelerates patch development and benefits the entire ecosystem.

Edge also brings unique security features to Windows. Microsoft Defender SmartScreen blocks known malicious websites and downloads, potentially preventing users from reaching the exploit page in the first place. Application Guard can isolate browsing sessions within a virtualized container, adding an extra hurdle for attackers. However, these features are not enabled by default in all configurations, and they do not eliminate the need for prompt patching.

For organizations that have standardized on Microsoft 365, Edge’s deep integration with Azure Active Directory and conditional access policies can help mitigate the impact of a compromise by enforcing multi-factor authentication and device compliance checks. Still, an endpoint with a vulnerable browser is a risky liability.

Practical Steps Beyond Patching

While updating is the most critical action, users can adopt additional measures to reduce exposure:

  • Enable Enhanced Security Mode in Edge (edge://settings/privacy) to add extra protections against memory-related vulnerabilities, including JavaScript just-in-time (JIT) compilation restrictions.
  • Use a content blocker or ad guard to reduce the risk of malvertising—a common vector for exploit delivery.
  • Keep the operating system and other software up to date. A fully patched Windows system makes sandbox escapes more difficult.
  • For developers, audit any web applications that rely heavily on the Web Animations API for potential excessive complexity that could trigger browser bugs.

What Comes Next

The response to CVE-2026-7358 will unfold over the coming days. Google will likely release a detailed technical analysis after the majority of users have updated. Threat intelligence firms will monitor for exploit kit integrations. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) may add the vulnerability to its Known Exploited Vulnerabilities catalog, mandating government agencies to patch within a specific timeframe.

In the long term, the Chrome team’s ongoing efforts to rewrite components in memory-safe languages will reduce the frequency of such bugs. The Animation component, written in C++, is a prime candidate for a gradual rewrite or for adoption of hardened libraries that enforce temporal memory safety.

For now, the advice is simple and urgent: update your browser immediately. The fix is available, the attackers are active, and the cost of inaction could be severe. On Windows, the ubiquity of Chrome and Edge makes this a threat that no user or organization can afford to ignore.