{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-5904", "assignerOrgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28", "state": "PUBLISHED", "assignerShortName": "Chrome", "dateReserved": "2026-04-08T19:34:43.875Z", "datePublished": "2026-04-08T21:21:00.932Z", "dateUpdated": "2026-04-08T21:21:00.932Z"}, "containers": {"cna": {"affected": [{"vendor": "Google", "product": "Chrome", "versions": [{"version": "147.0.7727.55", "status": "affected", "lessThan": "147.0.7727.55", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "Use after free in V8 in Google Chrome prior to 147.0.7727.55 allowed an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via a crafted Chrome Extension. (Chromium security severity: Low)"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Use after free", "cweId": "CWE-416"}]}], "providerMetadata": {"orgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28", "shortName": "Chrome", "dateUpdated": "2026-04-08T21:21:00.932Z"}, "references": [{"url": "https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop.html"}, {"url": "https://issues.chromium.org/issues/483851888"}]}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Use after free in V8 in Google Chrome prior to 147.0.7727.55 allowed an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via a crafted Chrome Extension. (Chromium security severity: Low)"}], "id": "CVE-2026-5904", "lastModified": "2026-04-08T22:16:30.287", "metrics": {}, "published": "2026-04-08T22:16:30.287", "references": [{"source": "chrome-cve-admin@google.com", "url": "https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop.html"}, {"source": "chrome-cve-admin@google.com", "url": "https://issues.chromium.org/issues/483851888"}], "sourceIdentifier": "chrome-cve-admin@google.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-416"}], "source": "chrome-cve-admin@google.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[147.0.7727.55,147.0.7727.55)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Chrome", "source": "cna", "vendor": "Google"}, "product": "chrome", "vendor": "google"}], "analysis": {"en": {"generated_at": "2026-04-08T22:36:21.969263+00:00", "value": {"mitigation_remediation": ["Upgrade Chrome to version 147.0.7727.55 or later"], "summary": {"action": "Apply Patch", "impact": "Heap Corruption"}, "threat_synthesis": {"affected_systems": "The vulnerability affects Google Chrome browsers on all platforms that use V8 before version 147.0.7727.55. Users running any Chrome build prior to this revision are potentially exposed.", "description_and_impact": "A use\u2011after\u2011free flaw in the V8 engine can allow a crafted malicious Chrome Extension to corrupt heap memory. If the user installs such an extension, the resulting memory corruption could enable arbitrary code execution or other malicious activities. Chromium rates the issue as low severity and no known remote exploitation has been reported.", "risk_and_exploitability": "The CVSS score is not disclosed in the available data; Chromium lists the vulnerability as low severity. EPSS information is missing and the issue is not included in the CISA KEV catalog. Attackers would need to persuade a user to install a malicious extension, a social\u2011engineering-based vector. No publicly available exploits are known, so the practical risk is moderate."}}}}, "created": "2026-04-09T08:16:48.617406+00:00", "title": "V8 Use\u2011After\u2011Free via Malicious Chrome Extension", "updated": "2026-04-09T08:26:14.686903+00:00", "vendors": ["google", "google$PRODUCT$chrome"]}