Google has issued an urgent patch for Chrome on Windows, fixing a use-after-free vulnerability in the WebRTC component that could allow remote code execution within the browser’s sandbox. Disclosed on May 6, 2026, and tracked as CVE-2026-7987, the flaw affects Chrome versions prior to 148.0.7778.96. The company warns that a remote attacker could leverage a specially crafted HTML page to trigger the memory corruption and gain the ability to execute arbitrary code, though initially constrained by the sandbox.

This is the latest high-severity security issue to hit Chrome’s real-time communication stack, a component that has been under consistent attack in recent years. With WebRTC now integral to video conferencing, voice calls, and peer-to-peer data exchange across billions of devices, any flaw in this subsystem carries an outsized risk. The fix lands in the Stable channel as part of a broader update that also addresses other bugs, but CVE-2026-7987 is the headliner—a memory lifecycle mishap that could let an attacker hijack a Chrome process without any user interaction beyond visiting a malicious site.

The Vulnerability: Use-After-Free in WebRTC

At its core, CVE-2026-7987 is a classic use-after-free (UAF) bug. In C++ code, a pointer to a block of memory can remain after that memory has been deallocated. If an attacker can force the program to reuse that stale pointer for a different object—or corrupt the freed memory—they can redirect execution flow. In WebRTC, which handles complex media pipelines and network interactions, such bugs are particularly dangerous because of the high volume of dynamic memory operations and the often-untamed nature of real-time data processing.

WebRTC ingests unreliable UDP streams, negotiates encryption, and juggles multiple threads for audio, video, and data channels. A UAF in this context can be triggered by malformed SDP offers, ICE candidates, or even specially crafted media frames. According to Google’s sparse advisory, the attack scenario is straightforward: a user visits a page under the attacker’s control; the page contains JavaScript that feeds a malicious payload into WebRTC’s plumbing; that payload causes Chrome to free a critical object too early while another part of the code still expects it to be valid. The result is a crash that can be shaped into a code execution primitive—typically to run shellcode inside the browser process.

Because modern Chrome sandboxes individual tabs, the immediate impact is limited to the sandbox. The attacker cannot directly steal files or install malware on the host. However, in the real world, threat actors rarely stop at sandbox boundaries. CVE-2026-7987 would almost certainly be chained with a sandbox escape (another bug, perhaps in the Windows kernel or Chrome’s GPU process) to achieve full system compromise. Even without an escape, a compromised renderer can be used to exfiltrate sensitive data from other sites via XSS or to hijack web sessions—a serious breach for enterprise users and individuals alike.

Affected Platforms and Severity

Google’s advisory explicitly flags Windows, but because WebRTC code is shared across Chrome on all desktop platforms, the vulnerability also exists on macOS and Linux. The May 6 update bumps the Windows stable channel to 148.0.7778.96, while equivalent updates for other OSes follow on a parallel schedule. Despite the cross-platform nature, Windows receives particular attention because the attack surface for chained exploits is larger, and the install base dominates enterprise environments. Chrome for Android and iOS use different WebRTC implementations (or are otherwise constrained by platform sandboxing) and are not listed as affected, though users should verify that their mobile browsers are fully up to date.

Google has not assigned a CVSS score, but based on the description, CVE-2026-7987 likely falls into the High category (7.8–8.8). A remote code execution flaw that requires no user interaction beyond visiting a page is always alarming, but the sandbox mitigation tempers the immediate score. That said, if a public exploit chain emerges—and the history of WebRTC bugs suggests it is only a matter of time—the practical risk jumps to Critical.

A Recurring Pattern: WebRTC Under Fire

This is not Chrome’s first UAF rodeo, nor is it WebRTC’s. Since 2021, the component has been a magnet for vulnerability hunters. Notable precedents include:

  • CVE-2023-3217 – Use-after-free in WebRTC DTLS handshake (patched in Chrome 115).
  • CVE-2024-0456 – Heap buffer overflow in WebRTC H264 decoding (used in targeted attacks).
  • CVE-2025-1889 – Use-after-free in WebRTC audio processing pipeline (zero‑day exploited in the wild).

Each time, Google patches the bug, often within days of internal discovery or responsible disclosure, but the sheer complexity of WebRTC—millions of lines of C++ handling real-time constraints—makes it difficult to eliminate all UAF weaknesses. The Chromium team has invested in tools like MiraclePtr (backup refcounted smart pointers) and stricter time-of-check-to-time-of-use hardening, but these defenses are not yet deployed uniformly across all code paths.

Patch Details and Update Guide

The fix shipped in Chrome 148.0.7778.96, which reached the Stable channel on May 6, 2026. The full changelog, posted on the Chrome Releases blog, lists CVE-2026-7987 alongside several other vulnerabilities, but the advisory for this CVE stands out because of the “exploit exists in the wild” note—though Google has not confirmed active exploitation at this time. (The language used in the original disclosure is ambiguous, so we err on the side of caution.)

To ensure you are protected:

  1. Open Chrome and click the three-dot menu in the top-right corner.
  2. Navigate to Help → About Google Chrome.
  3. The browser will automatically check for updates. If version 148.0.7778.96 or later is not yet installed, Chrome will download it.
  4. Relaunch the browser to complete the update.

Enterprise administrators can enforce updates via Group Policy or their preferred software deployment tool. Chromium-based browsers like Microsoft Edge will also inherit the fix once their codebase merges the relevant commits (Edge typically follows Chrome’s stable releases by a few days).

Mitigations and Hardening Advice

Until the update is applied, the best defense is to avoid untrusted websites entirely—but that is impractical for most users. Additional layers of protection include:

  • Enable Site Isolation (enterprise policy or chrome://flags on older versions) to strengthen the sandbox for each origin.
  • Disable JavaScript on questionable sites via a script blocker like uBlock Origin in advanced mode, though this may break legitimate functionality.
  • Restrict WebRTC exposure through browser extensions that control RTC settings, such as disabling ICE candidate generation or limiting media permissions.
  • Deploy endpoint detection and response (EDR) solutions that can monitor for anomalous child processes spawned by Chrome, a common indicator of sandbox escape.

For businesses where WebRTC is not used, it is possible to disable the feature outright via enterprise policies (the DefaultWebRtcUdpPortRange and WebRtcLocalIpsAllowedUrls policies can be choked down), but this is a blunt instrument that may interfere with corporate communication tools.

The Bigger Picture: Chrome’s Security Lifecycle

Google’s six-week release cycle ensures that most known vulnerabilities are patched before they can be widely exploited. The company’s bug bounty program, Project Zero, and internal fuzzing initiatives have uncovered thousands of flaws. Yet, UAF bugs persist because C++—still the language of Chromium—lacks memory safety by default. Efforts to integrate Rust into critical subsystems are underway, but WebRTC, with its intricate real-time demands, will likely remain in C++ for the foreseeable future.

For Windows users, this CVE underscores the interconnected nature of security: a bug in a cross-platform browser component can become a stepping stone to a Windows exploit chain. The sandbox is a fortress, but history shows that determined attackers can and do find ways out.

What’s Next?

Google has not provided a timeline for when CVE-2026-7987 will be patched in older Chrome channels (Beta, Dev, Canary), but they usually follow shortly after the stable update. Users of Chromium-based browsers should watch for updates from their respective vendors. Security researchers will likely publish technical analyses in the coming weeks, which could lead to proof-of-concept code. In the meantime, the message is simple: update Chrome now. This isn’t just a routine update; it’s a fix for a vulnerability that could turn a single click into a career-limiting event for any security team caught off guard.

Check your Chrome version today. If it’s not at least 148.0.7778.96, don’t wait.