CVE-2026-5893 - Vulnerability Details

Description

Race in V8 in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium)

Published: 2026-04-08

Score: 6.8 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A race condition exists in the V8 JavaScript engine within Google Chrome that allows a remote attacker to cause heap corruption by delivering a specially crafted HTML page. The resulting memory corruption can potentially be leveraged to execute arbitrary code on the victim’s machine, compromising confidentiality, integrity, and availability. The flaw is classified under concurrent modification and thread-scheduling weaknesses, reflected in CWE-362 and CWE-366.

Affected Systems

The vulnerability affects any Google Chrome installation prior to version 147.0.7727.55, regardless of the operating system. This includes Chrome on Windows, macOS, and Linux desktop platforms, as the V8 engine is shared across all those environments.

Risk and Exploitability

The CVSS score of 6.8 places the flaw in the medium severity range, and the EPSS score of less than 1% indicates a low likelihood of exploitation. The vulnerability is not listed in CISA’s Known Exploited Vulnerabilities catalog. The attack vector is inferred from the description as a remote attacker delivering a crafted HTML page through a malicious website or phishing email, which then causes the heap corruption upon rendering. While exploitation is not currently widespread, a successful attack could provide full code execution on the affected system.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Google

Chrome

affected

Version	Status	Constraints
`147.0.7727.55`	affected	< 147.0.7727.55

Configuration 1 [-]

AND

cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*

OR	cpe:2.3:o:apple:macos:-:::::::*
	cpe:2.3:o:linux:linux_kernel:-:::::::*
	cpe:2.3:o:microsoft:windows:-:::::::*

No data.

Vendor Product Confidence Versions

Google

Chrome

100%

Version	Status	Scheme	Platform
`[147.0.7727.55,147.0.7727.55)`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update Google Chrome to version 147.0.7727.55 or newer on all affected systems. Verify the installed version after the update.

Generated by OpenCVE AI on April 13, 2026 at 22:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Debian DSA	DSA-6205-1	chromium security update

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.0003.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop.html
https://issues.chromium.org/issues/487768771
https://nvd.nist.gov/vuln/detail/CVE-2026-5893
https://www.cve.org/CVERecord?id=CVE-2026-5893

History

Mon, 13 Apr 2026 21:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Apple Apple macos Linux Linux linux Kernel Microsoft Microsoft windows
CPEs		cpe:2.3:a:google:chrome:::::::: cpe:2.3:o:apple:macos:-:::::::* cpe:2.3:o:linux:linux_kernel:-:::::::* cpe:2.3:o:microsoft:windows:-:::::::*
Vendors & Products		Apple Apple macos Linux Linux linux Kernel Microsoft Microsoft windows

Mon, 13 Apr 2026 21:15:00 +0000

Type	Values Removed	Values Added
Metrics	cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H'}`	ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}` cvssV3_1 `{'score': 6.8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N'}`

Mon, 13 Apr 2026 20:30:00 +0000

Type	Values Removed	Values Added
Metrics	cvssV3_1 `{'score': 9.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H'}`	cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H'}`

Fri, 10 Apr 2026 12:15:00 +0000

Type	Values Removed	Values Added
Title	Race Condition in V8 Engine Leading to Heap Corruption	chromium-browser: Race in V8
Weaknesses		CWE-366
References		https://nvd.nist.gov/vuln/detail/CVE-2026-5893 https://www.cve.org/CVERecord?id=CVE-2026-5893
Metrics	threat_severity `None`	cvssV3_1 `{'score': 9.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H'}` threat_severity `Moderate`

Thu, 09 Apr 2026 08:30:00 +0000

Type	Values Removed	Values Added
Title		Race Condition in V8 Engine Leading to Heap Corruption
First Time appeared		Google Google chrome
Vendors & Products		Google Google chrome

Wed, 08 Apr 2026 21:30:00 +0000

Type	Values Removed	Values Added
Description		Race in V8 in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium)
Weaknesses		CWE-362
References		https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/487768771

Subscriptions

Apple Macos

Google Chrome

Linux Linux Kernel

Microsoft Windows

MITRE

Status: PUBLISHED

Assigner: Chrome

Published: 2026-04-08T21:20:55.922Z

Updated: 2026-04-14T03:55:51.555Z

Reserved: 2026-04-08T19:34:40.926Z

Link: CVE-2026-5893

Vulnrichment

Updated: 2026-04-13T20:10:59.058Z

NVD

Status : Analyzed

Published: 2026-04-08T22:16:29.180

Modified: 2026-04-13T21:17:51.610

Link: CVE-2026-5893

Redhat

Severity : Moderate

Publid Date: 2026-04-07T00:00:00Z

Links: CVE-2026-5893 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-14T16:37:36Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction Required

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object