Description
Type Confusion in V8 in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Published: 2026-04-08
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

A type confusion vulnerability exists in the V8 JavaScript engine used by Google Chrome versions earlier than 147.0.7727.55. The flaw, identified as CWE‑843, allows a remote attacker to execute arbitrary code inside the browser’s sandbox through a specially crafted HTML page. Because the code runs with the privileges granted to the sandbox, an attacker can potentially read, modify, or delete data or attempt further privilege escalation if the sandbox is misconfigured.

Affected Systems

Google Chrome installations before 147.0.7727.55 on any platform—macOS, Linux, and Windows—are affected. Users who have not upgraded to the patched build remain vulnerable.

Risk and Exploitability

The CVSS score of 8.8 reflects a high severity and the EPSS score of less than 1% indicates that widespread exploitation is currently unlikely. The vulnerability is not included in the CISA KEV list. Exploitation requires a user to open or render the malicious HTML page in Chrome, after which the attacker can trigger the type confusion and run code within the sandbox. Prompt patching is essential to reduce risk.

Generated by OpenCVE AI on April 13, 2026 at 19:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Google Chrome to version 147.0.7727.55 or newer

Generated by OpenCVE AI on April 13, 2026 at 19:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6205-1 chromium security update
History

Mon, 13 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows
CPEs cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows

Mon, 13 Apr 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Fri, 10 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
Title chromium-browser: Type Confusion in V8
References
Metrics threat_severity

None

 cvssV3_1

{'score': 9.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H'}

threat_severity

Important

Thu, 09 Apr 2026 08:30:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Wed, 08 Apr 2026 21:30:00 +0000

Type Values Removed Values Added
Description Type Confusion in V8 in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Weaknesses CWE-843
References

Subscriptions

Apple Macos
Google Chrome
Linux Linux Kernel
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-04-13T13:03:43.864Z

Reserved: 2026-04-08T19:34:35.438Z

Link: CVE-2026-5871

cve-icon Vulnrichment

Updated: 2026-04-13T13:03:40.306Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-08T22:16:26.690

Modified: 2026-04-13T16:18:53.350

Link: CVE-2026-5871

cve-icon Redhat

Severity : Important

Publid Date: 2026-04-07T00:00:00Z

Links: CVE-2026-5871 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:37:57Z

Weaknesses