CVE-2026-5868 - Vulnerability Details

- chromium-browser: Heap buffer overflow in ANGLE

Description

Heap buffer overflow in ANGLE in Google Chrome on Mac prior to 147.0.7727.55 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

Published: 2026-04-08

Score: 8.8 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

This vulnerability is a heap buffer overflow in the ANGLE graphics component of Google Chrome on macOS. An attacker can send a specially crafted HTML page that causes the overflow, allowing arbitrary code to run inside the browser's sandbox. The weakness is classified as a heap-based buffer overflow, which can compromise application confidentiality and integrity. The official severity is high, indicating that successful exploitation would enable a remote attacker to execute code with the sandbox's privileges.

Affected Systems

Users running Google Chrome on macOS before version 147.0.7727.55 are affected. The issue exists in all builds of the stable Chrome channel on macOS that include the vulnerable ANGLE implementation. No other platforms or Chrome versions are listed as impacted.

Risk and Exploitability

The CVSS base score of 8.8 reflects significant impact with remote exploitation. The EPSS score of less than 1% indicates the probability of exploitation is currently low, and it is not listed in CISA's KEV catalog. Nevertheless, the attack vector is remote via a crafted HTML page delivered over the network, meaning that any user who visits a malicious website could be targeted. The sandbox limitation reduces damage scope, but arbitrary code execution is still possible within the sandbox context and could lead to privilege escalation or further compromise.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Google

Chrome

affected

Version	Status	Constraints
`147.0.7727.55`	affected	< 147.0.7727.55

Configuration 1 [-]

AND

cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*

cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Google

Chrome

100%

Version	Status	Scheme	Platform
`[147.0.7727.55,147.0.7727.55)`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update Google Chrome to version 147.0.7727.55 or later, which patches the ANGLE buffer overflow.
If an update is not immediately possible, consider disabling or restricting ANGLE usage via Chrome flags or enterprise policy as a temporary measure.
Monitor security advisories for any additional mitigation guidance or patches.

Generated by OpenCVE AI on April 13, 2026 at 19:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Debian DSA	DSA-6205-1	chromium security update

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00091.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop.html
https://issues.chromium.org/issues/493256564
https://nvd.nist.gov/vuln/detail/CVE-2026-5868
https://www.cve.org/CVERecord?id=CVE-2026-5868

History

Mon, 13 Apr 2026 18:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Apple Apple macos
CPEs		cpe:2.3:a:google:chrome:::::::: cpe:2.3:o:apple:macos:-:::::::*
Vendors & Products		Apple Apple macos

Mon, 13 Apr 2026 13:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Fri, 10 Apr 2026 12:15:00 +0000

Type	Values Removed	Values Added
Title	Heap Buffer Overflow in Chrome ANGLE Leading to Remote Code Execution	chromium-browser: Heap buffer overflow in ANGLE
Weaknesses		CWE-787
References		https://nvd.nist.gov/vuln/detail/CVE-2026-5868 https://www.cve.org/CVERecord?id=CVE-2026-5868
Metrics	threat_severity `None`	cvssV3_1 `{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}` threat_severity `Important`

Thu, 09 Apr 2026 08:30:00 +0000

Type	Values Removed	Values Added
Title		Heap Buffer Overflow in Chrome ANGLE Leading to Remote Code Execution
First Time appeared		Google Google chrome
Vendors & Products		Google Google chrome

Wed, 08 Apr 2026 21:30:00 +0000

Type	Values Removed	Values Added
Description		Heap buffer overflow in ANGLE in Google Chrome on Mac prior to 147.0.7727.55 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Weaknesses		CWE-122
References		https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/493256564

Subscriptions

Apple Macos

Google Chrome

MITRE

Status: PUBLISHED

Assigner: Chrome

Published: 2026-04-08T21:20:43.524Z

Updated: 2026-04-13T13:05:27.393Z

Reserved: 2026-04-08T19:34:34.006Z

Link: CVE-2026-5868

Vulnrichment

Updated: 2026-04-13T13:05:24.506Z

NVD

Status : Analyzed

Published: 2026-04-08T22:16:26.360

Modified: 2026-04-13T18:10:29.863

Link: CVE-2026-5868

Redhat

Severity : Important

Publid Date: 2026-04-07T00:00:00Z

Links: CVE-2026-5868 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-14T16:38:00Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object