CVE-2026-5865
Published: 08 April 2026
Description
Type Confusion in V8 in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Mitigating Controls (NIST 800-53 r5)AI
Directly requires timely remediation of the V8 type confusion flaw through application of the Chrome update to version 147.0.7727.55 or later.
Implements memory protections like ASLR and DEP that mitigate exploitation of type confusion vulnerabilities leading to arbitrary code execution.
Establishes controls and policies for mobile code such as JavaScript in crafted HTML pages that trigger the V8 type confusion vulnerability.
Security SummaryAI
CVE-2026-5865 is a type confusion vulnerability (CWE-843) in the V8 JavaScript engine within Google Chrome prior to version 147.0.7727.55. Published on 2026-04-08, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) and is rated High severity by Chromium security.
A remote attacker can exploit this vulnerability by tricking a user into visiting a crafted HTML page, leading to arbitrary code execution inside the Chrome sandbox. The attack requires user interaction but no privileges, enabling high-impact confidentiality, integrity, and availability violations within the browser's scope.
Mitigation is available via the stable channel update for desktop Chrome, as announced in the Chrome Releases blog at https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop.html. Additional details are provided in the Chromium issue tracker at https://issues.chromium.org/issues/491884710. Users should update to version 147.0.7727.55 or later.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Type confusion in Chrome's V8 engine exploited via crafted HTML page enables drive-by compromise (T1189) and exploitation for client execution (T1203).