CVE-2026-5866
Published: 08 April 2026
Description
Use after free in Media in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the use-after-free vulnerability by requiring timely identification, reporting, and correction via the Chrome patch to version 147.0.7727.55.
Implements memory protection controls such as ASLR and DEP to minimize the exploitability of use-after-free flaws in the Chrome Media component.
Enforces process isolation through Chrome's sandboxing, confining arbitrary code execution from the vulnerability to the isolated media process.
Security SummaryAI
CVE-2026-5866 is a use-after-free vulnerability (CWE-416) in the Media component of Google Chrome prior to version 147.0.7727.55. Published on 2026-04-08, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) and is classified as High severity by Chromium security.
A remote attacker can exploit this flaw via a crafted HTML page, enabling arbitrary code execution inside the Chrome sandbox. Exploitation requires user interaction, such as visiting the malicious page, but needs no privileges and has low attack complexity over the network.
Google addressed the issue in the stable channel update to Chrome 147.0.7727.55. Additional details are available in the Chrome Releases blog at https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop.html and the Chromium issue tracker at https://issues.chromium.org/issues/492218537.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE-2026-5866 is a client-side use-after-free vulnerability in Chrome exploited via crafted HTML pages, directly enabling drive-by compromise (T1189) and exploitation for client execution (T1203).