Description
Use after free in Navigation in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium)
Published: 2026-04-08
Score: 9.6 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote code execution
Action: Patch Now
AI Analysis

Impact

A use‑after‑free flaw in Chrome’s navigation code lets a crafted web page free an object and subsequently reuse it, causing arbitrary code to run inside the browser’s sandbox. The weakness directly supports execution of attacker‑supplied instructions and is classified as CWE‑416. This single vulnerability can compromise the confidentiality and integrity of the user’s system by allowing any code the browser is permitted to run.

Affected Systems

Google Chrome versions earlier than 147.0.7727.55 are affected. All platforms that run Chrome before this build—including Windows, macOS, Linux, and Chrome‑based browsers on those operating systems—may be vulnerable to the flaw when visiting a malicious page.

Risk and Exploitability

The flaw is exploitable remotely via a crafted HTML page that a user can open or visit over the internet. No special privileges are required beyond normal browser usage, and the attack occurs within the sandbox environment. The vulnerability carries a medium severity rating and is not listed in the CISA KEV catalog; its EPSS score is currently unavailable. The attack vector is inferred from the description of a remote attacker serving a malicious page to the browser.

Generated by OpenCVE AI on April 8, 2026 at 22:45 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Google Chrome to build 147.0.7727.55 or newer
  • Enable automatic updates to receive future patches promptly

Generated by OpenCVE AI on April 8, 2026 at 22:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6205-1 chromium security update
History

Fri, 10 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
Title Use-After-Free in Chrome Navigation Enables Remote Code Execution chromium-browser: Use after free in Navigation
Weaknesses CWE-825
References
Metrics threat_severity

None

 cvssV3_1

{'score': 9.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H'}

threat_severity

Moderate

Thu, 09 Apr 2026 08:30:00 +0000

Type Values Removed Values Added
Title Use-After-Free in Chrome Navigation Enables Remote Code Execution
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Wed, 08 Apr 2026 21:30:00 +0000

Type Values Removed Values Added
Description Use after free in Navigation in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium)
Weaknesses CWE-416
References

Subscriptions

Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-04-08T21:20:47.756Z

Reserved: 2026-04-08T19:34:36.847Z

Link: CVE-2026-5877

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-08T22:16:27.323

Modified: 2026-04-08T22:16:27.323

Link: CVE-2026-5877

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-07T00:00:00Z

Links: CVE-2026-5877 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-09T08:26:48Z

Weaknesses