Description
Use after free in Blink in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Published: 2026-04-08
Score: 9.6 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Patch
AI Analysis

Impact

A use‑after‑free vulnerability exists in Blink, the rendering engine of Google Chrome. The flaw allows an attacker to craft a malicious HTML page that, when rendered, triggers a memory error. This defect enables the attacker to execute arbitrary code inside Chrome’s sandbox, potentially compromising the user’s system or data. The weakness is identified as CWE‑416.

Affected Systems

The problem affects Google Chrome versions prior to 147.0.7727.55 on all platforms where the Blink engine is used. Users running any unsupported or older releases are exposed.

Risk and Exploitability

Chromium rates the vulnerability as High. ESPS score is not available, and the issue has not been added to CISA’s KEV catalog. Based on the description, the likely attack vector is a remote user delivering a crafted HTML page to a victim’s browser. An exploit requires only that the user visit the malicious page; no additional configuration or privileges are needed. Consequently, the risk is elevated for any environment that relies on an outdated Chrome installation.

Generated by OpenCVE AI on April 8, 2026 at 22:47 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Google Chrome to version 147.0.7727.55 or later, which contains the patch for the use‑after‑free bug.
  • If an immediate update is not possible, restrict access to untrusted web content or enforce strict content security policies to limit execution of untrusted scripts.
  • Monitor browser usage for anomalous activity and verify that the updated Chrome version is deployed across all endpoints.

Generated by OpenCVE AI on April 8, 2026 at 22:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6205-1 chromium security update
History

Fri, 10 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
Title Chrome Blink Use-After-Free Enables Remote Code Execution chromium-browser: Use after free in Blink
Weaknesses CWE-825
References
Metrics threat_severity

None

 cvssV3_1

{'score': 9.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H'}

threat_severity

Important

Thu, 09 Apr 2026 08:30:00 +0000

Type Values Removed Values Added
Title Chrome Blink Use-After-Free Enables Remote Code Execution
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Wed, 08 Apr 2026 21:30:00 +0000

Type Values Removed Values Added
Description Use after free in Blink in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Weaknesses CWE-416
References

Subscriptions

Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-04-10T03:55:53.655Z

Reserved: 2026-04-08T19:34:35.693Z

Link: CVE-2026-5872

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-08T22:16:26.800

Modified: 2026-04-08T22:16:26.800

Link: CVE-2026-5872

cve-icon Redhat

Severity : Important

Publid Date: 2026-04-07T00:00:00Z

Links: CVE-2026-5872 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-09T08:26:54Z

Weaknesses