CVE-2026-1847: Chrome’s Fourth Zero-Day This Year and the Patch Gap Attackers Count On

CVE-2026-1847 - CVSS v3.1 base score 9.8. Remote code execution in the Chrome renderer process. Confirmed exploited in the wild.

Patch boundary: Chrome < 124.0.6367.82 on Windows, macOS, Linux. Patch shipped April 5, 2026.

This is the fourth Chrome zero-day with confirmed in-the-wild exploitation in 2026. Four in one year is not coincidence. It signals sustained, resourced threat actors actively working Chrome’s attack surface - and finding results.

The Bug

Use-after-free in the WebGPU implementation. GPU buffer objects are freed during asynchronous resource cleanup while still referenced by an active WebGL context. The shared buffer refcount across rendering contexts fails to track cross-API references. Result: a dangling pointer to freed heap memory.

The primitive is UAF → controlled heap corruption → arbitrary read/write in the renderer process.

MITRE ATT&CK: T1189 (Drive-by Compromise), T1203 (Exploitation for Client Execution).

The Chain

Renderer RCE alone is insufficient - Chrome’s multi-process sandbox constrains the damage. Full compromise requires a sandbox escape.

The escape component for CVE-2026-1847 is undisclosed. But the pattern is familiar: prior Chrome zero-day chains in 2024 paired renderer UAFs with Mojo IPC bugs to break the sandbox boundary (see CVE-2024-7971 chained with CVE-2024-7965). The architecture of the attack - WebGPU as the entry point, renderer as the staging ground - follows the same template.

If a sandbox escape is chained, the attacker achieves code execution at the browser process privilege level. From there: credential access, lateral movement, persistence. MITRE ATT&CK: T1055 (Process Injection) for the escape, T1071.004 (Application Layer Protocol: DNS) for C2.

What Telemetry Sees - and Misses

Default EDR rulesets do not alert on CVE-2026-1847 exploitation. No child process spawns. No Sysmon Event ID 1 fires. The attack lives inside Chrome.exe’s existing process.

What does surface:

• EDR behavioral telemetry: ProcessMemoryRead from Chrome.exe targeting unmapped high-address regions (0x7fff80000000+). This is the heap spray probing for the freed buffer.
• Windows Security Event 4688: Command line arguments containing wasm and function tokens with no associated file path - indicative of JIT-compiled shellcode via WebAssembly.
• Network: DNS queries to random 32-character subdomains. Pattern-matches known DNS tunneling C2 beacon signatures.
• SIEM gap: Correlation rules miss the chain because the source IP serves legitimate traffic from trusted origins (Google Cloud API ranges). Single-point IOC matching fails here.

The attack presents as normal browser activity. The anomaly is in the combination: heap probe + WASM execution + DNS beacon from the same process within a short window. No single indicator fires a rule. The chain is invisible to detection stacks built on atomic IOCs.

The Actual Risk: The Patch Gap

Google shipped the fix on April 5. That date is irrelevant to most enterprises.

Enterprise browser patch cycles run 3 to 6 weeks. Regulated environments - finance, healthcare, defense - push 60 to 120 days. Every day in that window, the vulnerability is public, the patch diff is reversible, and the exploit primitive is known.

This is not theoretical. Exploit brokers and APT groups monitor Chrome stable channel diffs. A UAF with a clean heap primitive in a well-documented subsystem like WebGPU is straightforward to weaponize from the patch delta alone. The PoC-to-weaponization timeline for renderer UAFs has compressed to under 72 hours in recent campaigns.

Four zero-days in one year means the patch gap is being exploited faster than enterprises can close it. The attackers are not waiting. They are operating inside the window between Google’s release and your deployment - and they know exactly how long that window is.

Detection Engineering

If you cannot patch within 48 hours, hunt for the chain:

1. Correlate ProcessMemoryRead events from browser processes with DNS queries to high-entropy subdomains within a 60-second window.
2. Flag WASM compilation events in browser processes that are not preceded by a user-initiated navigation to a known-good origin.
3. Monitor for Chrome renderer crashes followed by DNS activity from the browser process - a failed exploit attempt still leaves a signal.

Atomic IOCs will not catch this. Behavioral correlation across memory, execution, and network telemetry is the only path to detection before the sandbox escape completes.