Description
Out of bounds read and write in V8 in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Published: 2026-04-08
Score: 9.6 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution via sandbox
Action: Immediate Patch
AI Analysis

Impact

V8, the JavaScript engine in Google Chrome, contains an out‑of‑bounds read and write that allows an attacker to execute arbitrary code inside the browser sandbox through a specially crafted HTML page. The vulnerability is classified as high severity, meaning a successful exploit would compromise the confidentiality, integrity, and availability of the affected system.

Affected Systems

Chrome browsers running a version earlier than 147.0.7727.55 on any operating system are affected. Users who have not installed the latest stable update are at risk.

Risk and Exploitability

The attack vector is remote: an adversary can host a malicious web page that triggers the out‑of‑bounds memory operation when a user visits it. No CVSS score is supplied, but the designation “high” indicates significant risk. EPSS data is unavailable, and the vulnerability has not been listed in the CISA KEV catalog. Consequently, the likelihood of exploitation remains uncertain but potentially high given the remote nature of the flaw and the widespread use of Chrome.

Generated by OpenCVE AI on April 8, 2026 at 22:47 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Google Chrome to version 147.0.7727.55 or later.
  • Verify that the update was applied by checking the version number in Chrome’s About page.

Generated by OpenCVE AI on April 8, 2026 at 22:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6205-1 chromium security update
History

Fri, 10 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
Title V8 Out-of-Bounds Read/Write Allows Remote Code Execution via Crafted HTML chromium-browser: Out of bounds read and write in V8
Weaknesses CWE-125
References
Metrics threat_severity

None

 cvssV3_1

{'score': 9.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H'}

threat_severity

Important

Thu, 09 Apr 2026 08:30:00 +0000

Type Values Removed Values Added
Title V8 Out-of-Bounds Read/Write Allows Remote Code Execution via Crafted HTML
First Time appeared Google
Google chrome
Weaknesses CWE-787
Vendors & Products Google
Google chrome

Wed, 08 Apr 2026 21:30:00 +0000

Type Values Removed Values Added
Description Out of bounds read and write in V8 in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
References

Subscriptions

Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-04-10T03:55:55.449Z

Reserved: 2026-04-08T19:34:35.913Z

Link: CVE-2026-5873

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-08T22:16:26.907

Modified: 2026-04-08T22:16:26.907

Link: CVE-2026-5873

cve-icon Redhat

Severity : Important

Publid Date: 2026-04-07T00:00:00Z

Links: CVE-2026-5873 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-09T08:26:53Z

Weaknesses