Description
Type Confusion in V8 in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Published: 2026-04-08
Score: 9.6 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution within sandboxed environment
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is a type confusion error in the V8 JavaScript engine used by Google Chrome. It allows a remote attacker to craft an HTML page that confuses the engine’s type handling, enabling arbitrary code execution inside the browser’s sandbox. This flaw is a high‑severity issue, as it can lead to complete compromise of the sandbox and, through potential privilege escalation rules, system compromise.

Affected Systems

Google Chrome browsers with versions earlier than 147.0.7727.55 are affected. Users running these versions on any platform are susceptible until a newer build addresses the flaw.

Risk and Exploitability

Given the high severity rating and the fact that the flaw can be triggered via a malicious web page, the risk of exploitation is significant for users visiting untrusted sites. The CVE does not provide an EPSS score or CEV listing, but the lack of such data does not reduce the potential for real‑world attacks. An attacker who can serve a malicious page or influence a user’s browsing activity could attempt to exploit this type confusion to execute code in the sandbox, potentially bypassing security boundaries. No official workaround is available, so the only sustainable mitigation is to upgrade to an affected‑issue‑fixed release.

Generated by OpenCVE AI on April 8, 2026 at 22:47 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Google Chrome to version 147.0.7727.55 or later.
  • If an immediate update is not possible, restrict or disable JavaScript execution for untrusted sites via browser settings or group policy.
  • Monitor Chrome release notes for future patches or additional mitigations.

Generated by OpenCVE AI on April 8, 2026 at 22:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6205-1 chromium security update
History

Fri, 10 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
Title chromium-browser: Type Confusion in V8
References
Metrics threat_severity

None

 cvssV3_1

{'score': 9.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H'}

threat_severity

Important

Thu, 09 Apr 2026 08:30:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Wed, 08 Apr 2026 21:30:00 +0000

Type Values Removed Values Added
Description Type Confusion in V8 in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Weaknesses CWE-843
References

Subscriptions

Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-04-10T03:55:51.953Z

Reserved: 2026-04-08T19:34:35.438Z

Link: CVE-2026-5871

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-08T22:16:26.690

Modified: 2026-04-08T22:16:26.690

Link: CVE-2026-5871

cve-icon Redhat

Severity : Important

Publid Date: 2026-04-07T00:00:00Z

Links: CVE-2026-5871 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-09T08:26:55Z

Weaknesses