CVE-2026-5871

High

Published: 08 April 2026

Published

08 April 2026

Modified

13 April 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Score 0.0010 27.9th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

Type Confusion in V8 in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mandates identification, reporting, and correction of the V8 type confusion flaw through timely patching of Chrome to version 147.0.7727.55 or later.

RA-5 Vulnerability Monitoring and Scanning good match

detect

Facilitates proactive identification of endpoints running vulnerable Chrome versions prior to 147.0.7727.55 via regular vulnerability scanning.

SI-5 Security Alerts, Advisories, and Directives partial match

detect

Ensures awareness of the CVE and patch availability by requiring dissemination of security advisories from sources like Chromium releases.

Security SummaryAI

CVE-2026-5871 is a type confusion vulnerability in the V8 JavaScript engine affecting Google Chrome versions prior to 147.0.7727.55. The flaw, classified under CWE-843, enables a remote attacker to execute arbitrary code within the browser's sandbox via a crafted HTML page. It carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) and is rated High severity by Chromium security.

A remote attacker can exploit this vulnerability by tricking a user into visiting a malicious website or interacting with a crafted HTML page, requiring no privileges. Successful exploitation allows arbitrary code execution confined to the sandboxed environment, potentially leading to high confidentiality, integrity, and availability impacts within the browser context.

Mitigation is provided in Google Chrome 147.0.7727.55 and later versions, as detailed in the stable channel update advisory at https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop.html and the Chromium issue tracker at https://issues.chromium.org/issues/495679730. Security practitioners should ensure users update to the patched version promptly.

Details

CWE(s): CWE-843

Affected Products

google

chrome

≤ 147.0.7727.55

MITRE ATT&CK Enterprise TechniquesAI

T1189 Drive-by Compromise Initial Access

Adversaries may gain access to a system through a user visiting a website over the normal course of browsing.

attack.mitre.org →

T1203 Exploitation for Client Execution Execution

Adversaries may exploit software vulnerabilities in client applications to execute code.

attack.mitre.org →

Why these techniques?

The vulnerability is a browser RCE via crafted HTML page on malicious website, directly enabling drive-by compromise (T1189) and exploitation for client execution (T1203).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop.html
Release Notes, Vendor Advisory · chrome-cve-admin@google.com
https://issues.chromium.org/issues/495679730
Permissions Required · chrome-cve-admin@google.com