Description
Use after free in Blink in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Published: 2026-04-08
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Patch Immediately
AI Analysis

Impact

A use‑after‑free flaw within the Blink rendering engine of Google Chrome versions prior to 147.0.7727.55 allows a remote attacker to execute arbitrary code inside the browser’s sandbox by delivering a malformed HTML document. The vulnerability is a classic Use After Free (CWE‑416) combined with an inconsistent volume handling vector (CWE‑825). If exploited, the attacker can run code with the same identity as the browser process, potentially leading to local privilege escalation or system compromise.

Affected Systems

The flaw affects Google Chrome for desktop on Windows, macOS, and Linux platforms. Any installation of Chrome with a version earlier than 147.0.7727.55 is vulnerable, regardless of operating system. Users of older Chrome releases should update to the latest stable channel release to mitigate the risk.

Risk and Exploitability

The CVSS score of 8.8 indicates a high severity vulnerability. The low EPSS score of less than 1% suggests that large‑scale exploitation is currently unlikely, and the vulnerability is not listed in the CISA KEV catalog. Nevertheless, the attack requires a malicious HTML page to be opened by the user, implying that phishing or social engineering could be used as the vector. Due to the critical nature of the impact and the potential for remote code execution, organizations should treat the flaw as a high priority.

Generated by OpenCVE AI on April 13, 2026 at 19:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Chrome update (version 147.0.7727.55 or newer).
  • Confirm that automatic updates are enabled and that the installed version matches the latest release.
  • If an update cannot be applied immediately, disable or restrict the rendering of remote HTML content—such as turning off JavaScript or using a browser with stricter sandboxing—until the patch is available.
  • Maintain regular monitoring of security advisories from Google and related vendor channels to stay aware of future patches or additional mitigations.

Generated by OpenCVE AI on April 13, 2026 at 19:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6205-1 chromium security update
History

Mon, 13 Apr 2026 18:15:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows
CPEs cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows

Mon, 13 Apr 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Fri, 10 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
Title Chrome Blink Use-After-Free Enables Remote Code Execution chromium-browser: Use after free in Blink
Weaknesses CWE-825
References
Metrics threat_severity

None

 cvssV3_1

{'score': 9.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H'}

threat_severity

Important

Thu, 09 Apr 2026 08:30:00 +0000

Type Values Removed Values Added
Title Chrome Blink Use-After-Free Enables Remote Code Execution
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Wed, 08 Apr 2026 21:30:00 +0000

Type Values Removed Values Added
Description Use after free in Blink in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Weaknesses CWE-416
References

Subscriptions

Apple Macos
Google Chrome
Linux Linux Kernel
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-04-13T13:03:14.983Z

Reserved: 2026-04-08T19:34:35.693Z

Link: CVE-2026-5872

cve-icon Vulnrichment

Updated: 2026-04-13T13:03:12.083Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-08T22:16:26.800

Modified: 2026-04-13T18:06:34.253

Link: CVE-2026-5872

cve-icon Redhat

Severity : Important

Publid Date: 2026-04-07T00:00:00Z

Links: CVE-2026-5872 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:37:56Z

Weaknesses