Description
Policy bypass in IFrameSandbox in Google Chrome prior to 147.0.7727.55 allowed a remote attacker who convinced a user to engage in specific UI gestures to bypass navigation restrictions via a crafted HTML page. (Chromium security severity: Low)
Published: 2026-04-08
Score: n/a
EPSS: n/a
KEV: No
Impact: Browser Sandbox Breach
Action: Patch
AI Analysis

Impact

The vulnerability is a policy bypass in the IFrameSandbox component of Google Chrome prior to version 147.0.7727.55. An attacker can craft a specialized HTML page and persuade a user to perform specific user interface gestures, such as clicking or dragging. When these gestures are executed, the browser incorrectly applies the sandbox policy, allowing navigation to arbitrary URLs that would normally be disallowed. This bypass does not grant direct code execution but eliminates the browser’s navigation restrictions, which can facilitate phishing, drive‑by downloads, or other content that relies on URL navigation.

Affected Systems

Affected product is Google Chrome. Versions before 147.0.7727.55 are vulnerable, including all prior releases of the stable channel.

Risk and Exploitability

Chromium's security severity for this issue was low. The attacker must convince a user to interact with the malicious page, making it a user-dependent threat. No exploit probability data is available, and the vulnerability is not listed in the CISA KEV catalog. The risk is moderate because the bypass could lead to indirect attacks but it does not expose the system to direct remote code execution.

Generated by OpenCVE AI on April 8, 2026 at 22:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Google Chrome to version 147.0.7727.55 or later via the official update mechanism.
  • Verify that the installed Chrome version is 147.0.7727.55 or newer.

Generated by OpenCVE AI on April 8, 2026 at 22:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 09 Apr 2026 08:30:00 +0000

Type Values Removed Values Added
Title IFrameSandbox Policy Bypass Through Crafted HTML
First Time appeared Google
Google chrome
Weaknesses CWE-601
Vendors & Products Google
Google chrome

Wed, 08 Apr 2026 21:30:00 +0000

Type Values Removed Values Added
Description Policy bypass in IFrameSandbox in Google Chrome prior to 147.0.7727.55 allowed a remote attacker who convinced a user to engage in specific UI gestures to bypass navigation restrictions via a crafted HTML page. (Chromium security severity: Low)
References

Subscriptions

Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-04-08T21:21:00.551Z

Reserved: 2026-04-08T19:34:43.635Z

Link: CVE-2026-5903

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-08T22:16:30.197

Modified: 2026-04-08T22:16:30.197

Link: CVE-2026-5903

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-09T08:26:15Z

Weaknesses