Description
Inappropriate implementation in V8 in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Published: 2026-04-08
Score: 9.6 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is in the JavaScript engine V8 used by Google Chrome and allows a remote attacker to escape the sandbox and execute arbitrary code by loading a specially crafted HTML page. This high‑severity flaw means that a visitor to a malicious site can run code with the privileges of the browser process, potentially compromising the entire system's confidentiality, integrity, and availability.

Affected Systems

All users of Google Chrome versions prior to 147.0.7727.55 are affected. The stated fix is to update to Chrome 147.0.7727.55 or later, which implements the corrected V8 sandboxing logic.

Risk and Exploitability

The flaw can be triggered by loading a malicious web page, so any user who visits such a page is at risk. EPSS data is not available and the vulnerability is not tracked in the CISA KEV catalog, but the CVSS severity is high and the attack vector is remote via the internet. Exploitation requires no local privileges and can be performed by a web attacker who can host or deliver the crafted content.

Generated by OpenCVE AI on April 8, 2026 at 22:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the Chrome update to at least version 147.0.7727.55, which implements the hardened V8 sandbox.
  • Verify the installed Chrome version after the update to confirm the fix is in place.
  • If an immediate update is not possible, consider disabling JavaScript or using a browser that has patched the issue until an update can be applied.

Generated by OpenCVE AI on April 8, 2026 at 22:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6205-1 chromium security update
History

Fri, 10 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
Title chromium-browser: Inappropriate implementation in V8
Weaknesses CWE-641
References
Metrics threat_severity

None

 cvssV3_1

{'score': 9.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H'}

threat_severity

Important

Thu, 09 Apr 2026 08:30:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Wed, 08 Apr 2026 21:30:00 +0000

Type Values Removed Values Added
Description Inappropriate implementation in V8 in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
References

Subscriptions

Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-04-10T03:55:42.940Z

Reserved: 2026-04-08T19:34:32.924Z

Link: CVE-2026-5863

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-08T22:16:25.817

Modified: 2026-04-08T22:16:25.817

Link: CVE-2026-5863

cve-icon Redhat

Severity : Important

Publid Date: 2026-04-07T00:00:00Z

Links: CVE-2026-5863 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-09T08:27:03Z

Weaknesses