{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-5861", "assignerOrgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28", "state": "PUBLISHED", "assignerShortName": "Chrome", "dateReserved": "2026-04-08T19:34:32.340Z", "datePublished": "2026-04-08T21:20:40.803Z", "dateUpdated": "2026-04-08T21:20:40.803Z"}, "containers": {"cna": {"affected": [{"vendor": "Google", "product": "Chrome", "versions": [{"version": "147.0.7727.55", "status": "affected", "lessThan": "147.0.7727.55", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "Use after free in V8 in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Use after free", "cweId": "CWE-416"}]}], "providerMetadata": {"orgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28", "shortName": "Chrome", "dateUpdated": "2026-04-08T21:20:40.803Z"}, "references": [{"url": "https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop.html"}, {"url": "https://issues.chromium.org/issues/486927780"}]}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Use after free in V8 in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)"}], "id": "CVE-2026-5861", "lastModified": "2026-04-08T22:16:25.610", "metrics": {}, "published": "2026-04-08T22:16:25.610", "references": [{"source": "chrome-cve-admin@google.com", "url": "https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop.html"}, {"source": "chrome-cve-admin@google.com", "url": "https://issues.chromium.org/issues/486927780"}], "sourceIdentifier": "chrome-cve-admin@google.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-416"}], "source": "chrome-cve-admin@google.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[147.0.7727.55,147.0.7727.55)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Chrome", "source": "cna", "vendor": "Google"}, "product": "chrome", "vendor": "google"}], "analysis": {"en": {"generated_at": "2026-04-08T22:50:59.579902+00:00", "value": {"mitigation_remediation": ["Update Google Chrome to version 147.0.7727.55 or later, which contains the patched V8 kernel.", "If an immediate update is not feasible, monitor Google\u2019s release channels for the patched version and consider disabling HTML5 features that expose V8 to untrusted content as a temporary measure.", "Verify that site isolation and related security settings are enabled in Chrome to add an extra layer of defense."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "This flaw affects Google Chrome releases prior to version 147.0.7727.55. Users running any earlier stable build are potentially vulnerable.", "description_and_impact": "Chrome\u2019s JavaScript engine, V8, contains a use\u2011after\u2011free flaw that permits a remote attacker to run arbitrary code inside a sandboxed environment by delivering a specifically crafted HTML page. The vulnerability is a classic memory corruption issue, classified as CWE\u2011416, and is considered high severity by Chromium security reviewers.", "risk_and_exploitability": "The exploit requires only that a malicious web page be loaded in the affected browser, making the attack vector inbound, client\u2011side. While the EPSS score is currently unavailable and the vulnerability is not listed in the CISA KEV catalog, the reported high severity and the remote code execution capability indicate a significant risk for any user who visits compromised sites. No specific privileged escalation is required; the code runs within the browser\u2019s sandbox. The lack of a public exploit in the wild does not diminish the threat posed to users who do not promptly apply the available patch."}}}}, "created": "2026-04-09T08:17:41.487700+00:00", "title": "V8 Use\u2011After\u2011Free Enables Remote Code Execution via Crafted HTML Page", "updated": "2026-04-09T08:27:05.130376+00:00", "vendors": ["google", "google$PRODUCT$chrome"]}