CVE-2026-5863

High

Published: 08 April 2026

Published

08 April 2026

Modified

13 April 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Score 0.0010 27.6th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

Inappropriate implementation in V8 in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly requires timely identification, reporting, and remediation of flaws like the V8 implementation vulnerability in CVE-2026-5863 via Chrome patching to version 147.0.7727.55 or later.

RA-5 Vulnerability Monitoring and Scanning good match

detect

Vulnerability scanning and monitoring identifies systems with vulnerable Chrome versions affected by CVE-2026-5863, enabling targeted remediation.

SI-5 Security Alerts, Advisories, and Directives good match

prevent

Ensures organizations receive, disseminate, and implement security advisories such as the Chrome stable channel update addressing CVE-2026-5863.

Security SummaryAI

CVE-2026-5863 is an inappropriate implementation vulnerability in the V8 JavaScript and WebAssembly engine within Google Chrome versions prior to 147.0.7727.55. It enables a remote attacker to execute arbitrary code inside the browser's sandbox through a crafted HTML page. The issue carries a Chromium security severity rating of High and a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), with CWE details unavailable from NVD.

A remote attacker can exploit this vulnerability by tricking a user into visiting a malicious website or opening a crafted HTML page, requiring user interaction but no special privileges. Successful exploitation allows arbitrary code execution confined to the sandboxed environment, potentially leading to high-impact confidentiality, integrity, and availability compromises within the browser context.

Mitigation is addressed in the Google Chrome stable channel update documented at https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop.html, which covers versions 147.0.7727.55 and later. Additional technical details are available in the Chromium issue tracker at https://issues.chromium.org/issues/484527367. Security practitioners should ensure Chrome is updated to at least version 147.0.7727.55 to remediate the vulnerability.

Details

CWE(s): NVD-CWE-noinfo

Affected Products

google

chrome

≤ 147.0.7727.55

MITRE ATT&CK Enterprise TechniquesAI

T1189 Drive-by Compromise Initial Access

Adversaries may gain access to a system through a user visiting a website over the normal course of browsing.

attack.mitre.org →

T1203 Exploitation for Client Execution Execution

Adversaries may exploit software vulnerabilities in client applications to execute code.

attack.mitre.org →

Why these techniques?

The vulnerability is a V8 JavaScript engine flaw in Chrome exploited via crafted HTML pages, enabling remote arbitrary code execution in the browser sandbox, directly mapping to Drive-by Compromise (T1189) and Exploitation for Client Execution (T1203).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop.html
Release Notes, Vendor Advisory · chrome-cve-admin@google.com
https://issues.chromium.org/issues/484527367
Permissions Required · chrome-cve-admin@google.com