CVE-2026-7350: Use after free in WebMIDI in Google Chrome prior to 147.0.7727.138 allowed a remote attacker who had compromised the renderer process to potentially perform a…

CVE-2026-7350 [HIGH] Stable Channel Update for Desktop: CVE-2026-7350 Stable Channel Update for Desktop CVE-2026-7350: Use after free in WebMIDI. Reported by Google on 2026-04-06 [TBD][ 500034684 ] High CVE-2026-7349: Use after free in Cast Reported by Google on 2026-04-06 [TBD][ 500104917 ] High CVE-2026-7348: Use after free in Codecs Severity: high

CVE-2026-7350 [HIGH] chromium-browser: Use after free in WebMIDI chromium-browser: Use after free in WebMIDI An use after free flaw was found in the WebMIDI component of the Chromium browser. Upstream bug(s): https://code.google.com/p/chromium/issues/detail?id=500018484 Statement: Red Hat Product Security rates the severity of this flaw as determined by the Google Chrome Security Advisory.

CVE-2026-7350 [HIGH] CWE-416 GHSA-7x7q-4ppx-h6rp: Use after free in WebMIDI in Google Chrome prior to 147 Use after free in WebMIDI in Google Chrome prior to 147.0.7727.138 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

CVE-2026-7350 [HIGH] CVE-2026-7350 chromium-browser: Use after free in WebMIDI CVE-2026-7350 chromium-browser: Use after free in WebMIDI Use after free in WebMIDI in Google Chrome prior to 147.0.7727.138 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

CVE-2026-21717 [MEDIUM] CVE-2026-21717 nodejs: v8: Node.js: Denial of Service via V8 string hashing mechanism due to predictable hash collisions CVE-2026-21717 nodejs: v8: Node.js: Denial of Service via V8 string hashing mechanism due to predictable hash collisions A flaw in V8's string hashing mechanism causes integer-like strings to be hashed to their numeric value, making hash collisions trivially predictable. By crafting a request that causes many such collisions in V8's internal string table, an attacker can significantly degrade performance of the Node.js process. The most common trigger is any endpoint that calls `JSON.parse()` on attacker-controlled input, as JSON parsing automatically internalizes short strings into the affected hash table. This vulnerability affects **20.x, 22.x, 24.x, and 25.x**. Discussion: This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2026:7350 http

CVE-2026-21713 [MEDIUM] CVE-2026-21713 Node.js: Node.js: Information disclosure via timing oracle in HMAC verification CVE-2026-21713 Node.js: Node.js: Information disclosure via timing oracle in HMAC verification A flaw in Node.js HMAC verification uses a non-constant-time comparison when validating user-provided signatures, potentially leaking timing information proportional to the number of matching bytes. Under certain threat models where high-resolution timing measurements are possible, this behavior could be exploited as a timing oracle to infer HMAC values. Node.js already provides timing-safe comparison primitives used elsewhere in the codebase, indicating this is an oversight rather than an intentional design decision. This vulnerability affects **20.x, 22.x, 24.x, and 25.x**. Discussion: This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2026:7350

CVE-2026-21714 [MEDIUM] CVE-2026-21714 Node.js: Node.js: Memory leak and Denial of Service via crafted HTTP/2 WINDOW_UPDATE frames CVE-2026-21714 Node.js: Node.js: Memory leak and Denial of Service via crafted HTTP/2 WINDOW_UPDATE frames A memory leak occurs in Node.js HTTP/2 servers when a client sends WINDOW_UPDATE frames on stream 0 (connection-level) that cause the flow control window to exceed the maximum value of 2³¹-1. The server correctly sends a GOAWAY frame, but the Http2Session object is never cleaned up. This vulnerability affects HTTP2 users on Node.js 20, 22, 24 and 25. Discussion: This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2026:7350 https://access.redhat.com/errata/RHSA-2026:7350

CVE-2026-21712 [MEDIUM] CVE-2026-21712 Node.js: Node.js: Denial of Service via malformed Internationalized Domain Name processing CVE-2026-21712 Node.js: Node.js: Denial of Service via malformed Internationalized Domain Name processing A flaw in Node.js URL processing causes an assertion failure in native code when `url.format()` is called with a malformed internationalized domain name (IDN) containing invalid characters, crashing the Node.js process. Discussion: This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2026:7350 https://access.redhat.com/errata/RHSA-2026:7350

CVE-2026-1527 [MEDIUM] CVE-2026-1527 undici: Undici: HTTP header injection and request smuggling vulnerability CVE-2026-1527 undici: Undici: HTTP header injection and request smuggling vulnerability ImpactWhen an application passes user-controlled input to the upgrade option of client.request(), an attacker can inject CRLF sequences (\r\n) to: * Inject arbitrary HTTP headers * Terminate the HTTP request prematurely and smuggle raw data to non-HTTP services (Redis, Memcached, Elasticsearch) The vulnerability exists because undici writes the upgrade value directly to the socket without validating for invalid header characters: // lib/dispatcher/client-h1.js:1121 if (upgrade) { header += `connection: upgrade\r\nupgrade: ${upgrade}\r\n` } Discussion: This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2026:7350 https://access.redhat.com/errata/RHSA-2026:7