Description
Use after free in V8 in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Published: 2026-04-08
Score: n/a
EPSS: n/a
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

Chrome’s JavaScript engine, V8, contains a use‑after‑free flaw that permits a remote attacker to run arbitrary code inside a sandboxed environment by delivering a specifically crafted HTML page. The vulnerability is a classic memory corruption issue, classified as CWE‑416, and is considered high severity by Chromium security reviewers.

Affected Systems

This flaw affects Google Chrome releases prior to version 147.0.7727.55. Users running any earlier stable build are potentially vulnerable.

Risk and Exploitability

The exploit requires only that a malicious web page be loaded in the affected browser, making the attack vector inbound, client‑side. While the EPSS score is currently unavailable and the vulnerability is not listed in the CISA KEV catalog, the reported high severity and the remote code execution capability indicate a significant risk for any user who visits compromised sites. No specific privileged escalation is required; the code runs within the browser’s sandbox. The lack of a public exploit in the wild does not diminish the threat posed to users who do not promptly apply the available patch.

Generated by OpenCVE AI on April 8, 2026 at 22:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Google Chrome to version 147.0.7727.55 or later, which contains the patched V8 kernel.
  • If an immediate update is not feasible, monitor Google’s release channels for the patched version and consider disabling HTML5 features that expose V8 to untrusted content as a temporary measure.
  • Verify that site isolation and related security settings are enabled in Chrome to add an extra layer of defense.

Generated by OpenCVE AI on April 8, 2026 at 22:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 09 Apr 2026 08:30:00 +0000

Type Values Removed Values Added
Title V8 Use‑After‑Free Enables Remote Code Execution via Crafted HTML Page
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Wed, 08 Apr 2026 21:30:00 +0000

Type Values Removed Values Added
Description Use after free in V8 in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Weaknesses CWE-416
References

Subscriptions

Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-04-08T21:20:40.803Z

Reserved: 2026-04-08T19:34:32.340Z

Link: CVE-2026-5861

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-08T22:16:25.610

Modified: 2026-04-08T22:16:25.610

Link: CVE-2026-5861

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-09T08:27:05Z

Weaknesses