CVE-2026-5860
Published: 08 April 2026
Description
Use after free in WebRTC in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Mitigating Controls (NIST 800-53 r5)AI
Mandates timely identification, reporting, and correction of flaws such as the WebRTC use-after-free vulnerability through patching to Chrome 147.0.7727.55.
Implements memory protection mechanisms like ASLR and DEP that directly mitigate exploitation of use-after-free vulnerabilities in browser components.
Requires vulnerability scanning to identify systems running vulnerable Chrome versions affected by CVE-2026-5860, enabling prompt remediation.
Security SummaryAI
CVE-2026-5860 is a use-after-free vulnerability (CWE-416) in the WebRTC component of Google Chrome prior to version 147.0.7727.55. Published on 2026-04-08, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) and is classified as High severity by Chromium security.
A remote attacker can exploit this issue by crafting an HTML page that triggers the use-after-free condition in WebRTC. Exploitation requires user interaction, such as visiting the malicious page, and enables the attacker to execute arbitrary code within the browser's sandbox.
Google addressed the vulnerability in Chrome stable channel update 147.0.7727.55, as detailed in the Chrome Releases blog post (https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop.html) and the associated Chromium issue tracker entry (https://issues.chromium.org/issues/486495143). Users should update to the patched version to mitigate the risk.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is a use-after-free in Chrome's WebRTC exploited via a malicious HTML page, enabling arbitrary code execution in the browser sandbox, directly mapping to Exploitation for Client Execution (T1203).