{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-5872", "assignerOrgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28", "state": "PUBLISHED", "assignerShortName": "Chrome", "dateReserved": "2026-04-08T19:34:35.693Z", "datePublished": "2026-04-08T21:20:45.277Z", "dateUpdated": "2026-04-08T21:20:45.277Z"}, "containers": {"cna": {"affected": [{"vendor": "Google", "product": "Chrome", "versions": [{"version": "147.0.7727.55", "status": "affected", "lessThan": "147.0.7727.55", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "Use after free in Blink in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Use after free", "cweId": "CWE-416"}]}], "providerMetadata": {"orgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28", "shortName": "Chrome", "dateUpdated": "2026-04-08T21:20:45.277Z"}, "references": [{"url": "https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop.html"}, {"url": "https://issues.chromium.org/issues/496281816"}]}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Use after free in Blink in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)"}], "id": "CVE-2026-5872", "lastModified": "2026-04-08T22:16:26.800", "metrics": {}, "published": "2026-04-08T22:16:26.800", "references": [{"source": "chrome-cve-admin@google.com", "url": "https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop.html"}, {"source": "chrome-cve-admin@google.com", "url": "https://issues.chromium.org/issues/496281816"}], "sourceIdentifier": "chrome-cve-admin@google.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-416"}], "source": "chrome-cve-admin@google.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[147.0.7727.55,147.0.7727.55)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Chrome", "source": "cna", "vendor": "Google"}, "product": "chrome", "vendor": "google"}], "analysis": {"en": {"generated_at": "2026-04-08T22:47:41.115962+00:00", "value": {"mitigation_remediation": ["Update Google Chrome to version 147.0.7727.55 or later, which contains the patch for the use\u2011after\u2011free bug.", "If an immediate update is not possible, restrict access to untrusted web content or enforce strict content security policies to limit execution of untrusted scripts.", "Monitor browser usage for anomalous activity and verify that the updated Chrome version is deployed across all endpoints."], "summary": {"action": "Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The problem affects Google Chrome versions prior to 147.0.7727.55 on all platforms where the Blink engine is used. Users running any unsupported or older releases are exposed.", "description_and_impact": "A use\u2011after\u2011free vulnerability exists in Blink, the rendering engine of Google Chrome. The flaw allows an attacker to craft a malicious HTML page that, when rendered, triggers a memory error. This defect enables the attacker to execute arbitrary code inside Chrome\u2019s sandbox, potentially compromising the user\u2019s system or data. The weakness is identified as CWE\u2011416.", "risk_and_exploitability": "Chromium rates the vulnerability as High. ESPS score is not available, and the issue has not been added to CISA\u2019s KEV catalog. Based on the description, the likely attack vector is a remote user delivering a crafted HTML page to a victim\u2019s browser. An exploit requires only that the user visit the malicious page; no additional configuration or privileges are needed. Consequently, the risk is elevated for any environment that relies on an outdated Chrome installation."}}}}, "created": "2026-04-09T08:17:30.521014+00:00", "title": "Chrome Blink Use-After-Free Enables Remote Code Execution", "updated": "2026-04-09T08:26:54.067348+00:00", "vendors": ["google", "google$PRODUCT$chrome"]}