CVE-2026-5877

High

Published: 08 April 2026

Published

08 April 2026

Modified

14 April 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Score 0.0014 33.5th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

Use after free in Navigation in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium)

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly requires timely remediation of the use-after-free vulnerability in Google Chrome's Navigation component by patching to version 147.0.7727.55 or later.

SI-5 Security Alerts, Advisories, and Directives good match

prevent

Ensures organizations receive and implement security advisories from Chromium releases addressing CVE-2026-5877.

RA-5 Vulnerability Monitoring and Scanning partial match

detect

Enables vulnerability scanning to identify systems running Google Chrome versions prior to 147.0.7727.55 affected by this flaw.

Security SummaryAI

CVE-2026-5877 is a use-after-free vulnerability (CWE-416) in the Navigation component of Google Chrome versions prior to 147.0.7727.55. It affects the browser's rendering engine, stemming from Chromium, and was published on 2026-04-08 with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), classified as medium severity by Chromium security.

A remote attacker can exploit this vulnerability by tricking a user into visiting a crafted HTML page, leading to arbitrary code execution inside the browser's sandbox. The attack requires user interaction, such as clicking a link or loading a malicious site, but no special privileges, enabling potential high-impact compromise of confidentiality, integrity, and availability within the sandboxed environment.

Mitigation is addressed in the Chrome stable channel update, with the fix included in version 147.0.7727.55 and later, as detailed in the Chrome Releases blog at https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop.html and the Chromium issue tracker at https://issues.chromium.org/issues/333024273. Security practitioners should prioritize updating affected Chrome installations.

Details

CWE(s): CWE-416

Affected Products

google

chrome

≤ 147.0.7727.55

MITRE ATT&CK Enterprise TechniquesAI

T1189 Drive-by Compromise Initial Access

Adversaries may gain access to a system through a user visiting a website over the normal course of browsing.

attack.mitre.org →

T1203 Exploitation for Client Execution Execution

Adversaries may exploit software vulnerabilities in client applications to execute code.

attack.mitre.org →

Why these techniques?

Use-after-free vulnerability exploited via crafted HTML page for sandboxed RCE with user interaction maps directly to Drive-by Compromise (T1189) and Exploitation for Client Execution (T1203).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop.html
Release Notes, Vendor Advisory · chrome-cve-admin@google.com
https://issues.chromium.org/issues/333024273
Permissions Required · chrome-cve-admin@google.com