CVE-2026-5870

High

Published: 08 April 2026

Published

08 April 2026

Modified

13 April 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Score 0.0010 27.6th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

Integer overflow in Skia in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly remediates the integer overflow in Skia by requiring timely patching to Chrome 147.0.7727.55 or later.

SI-16 Memory Protection partial match

prevent

Provides memory protection mechanisms like ASLR and DEP that hinder arbitrary code execution resulting from the integer overflow.

SI-10 Information Input Validation partial match

prevent

Validates crafted HTML inputs to prevent triggering the integer overflow vulnerability in the Skia graphics library.

Security SummaryAI

CVE-2026-5870 is an integer overflow vulnerability in the Skia graphics library within Google Chrome prior to version 147.0.7727.55. This issue, mapped to CWE-190 (Integer Overflow or Wraparound) and CWE-472 (External Control of Assumed-Immutable Web Parameter), carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) and is rated High severity by Chromium. Published on 2026-04-08, it allows a remote attacker to execute arbitrary code inside the browser's sandbox through a crafted HTML page.

The attack requires no privileges and low complexity, with a remote attacker (AV:N/PR:N) enticing a user to interact with a malicious site (AC:L/UI:R). Exploitation results in arbitrary code execution confined to the sandbox (S:U), yielding high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H).

Mitigation is addressed in the Chrome stable channel update for desktop, as detailed in the Chrome Releases blog at https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop.html, and the upstream fix in Chromium issue 495534710 at https://issues.chromium.org/issues/495534710. Users should update to Google Chrome 147.0.7727.55 or later to patch the vulnerability.

Details

CWE(s): CWE-472 CWE-190

Affected Products

google

chrome

≤ 147.0.7727.55

MITRE ATT&CK Enterprise TechniquesAI

T1189 Drive-by Compromise Initial Access

Adversaries may gain access to a system through a user visiting a website over the normal course of browsing.

attack.mitre.org →

T1203 Exploitation for Client Execution Execution

Adversaries may exploit software vulnerabilities in client applications to execute code.

attack.mitre.org →

Why these techniques?

The vulnerability enables drive-by compromise (T1189) and exploitation for client execution (T1203) via crafted HTML in a browser, leading to sandboxed arbitrary code execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop.html
Release Notes, Vendor Advisory · chrome-cve-admin@google.com
https://issues.chromium.org/issues/495534710
Permissions Required · chrome-cve-admin@google.com