CVE-2026-5879

High

Published: 08 April 2026

Published

08 April 2026

Modified

13 April 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Score 0.0015 34.8th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

Insufficient validation of untrusted input in ANGLE in Google Chrome on Mac prior to 147.0.7727.55 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium)

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mitigates CVE-2026-5879 by requiring timely patching of vulnerable Google Chrome versions prior to 147.0.7727.55.

RA-5 Vulnerability Monitoring and Scanning partial match

detect

Identifies the presence of the unpatched Chrome vulnerability through regular vulnerability scanning of installed software.

SI-5 Security Alerts, Advisories, and Directives partial match

detect

Ensures monitoring of vendor security advisories like Chrome release notes to promptly learn of and address the ANGLE input validation flaw.

Security SummaryAI

CVE-2026-5879 is an insufficient validation of untrusted input vulnerability (CWE-20) in the ANGLE graphics component within Google Chrome on macOS versions prior to 147.0.7727.55. This flaw allows a remote attacker to execute arbitrary code inside the browser's sandbox via a crafted HTML page. The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) and is rated Medium severity by Chromium security.

A remote attacker can exploit this vulnerability by tricking a user into visiting a malicious website or opening a crafted HTML page in an affected Chrome browser on Mac. No privileges are required (PR:N), but user interaction is needed (UI:R), such as clicking a link. Successful exploitation enables arbitrary code execution confined to the sandbox, potentially leading to high-impact confidentiality, integrity, and availability compromises within that isolated environment.

Google's stable channel update for desktop, announced at https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop.html, patches this issue in Chrome 147.0.7727.55 and later versions for Mac. Additional details are available in the Chromium issue tracker at https://issues.chromium.org/issues/40073848. Security practitioners should advise users to update Chrome immediately to mitigate the risk.

Details

CWE(s): CWE-20

Affected Products

google

chrome

≤ 147.0.7727.55

MITRE ATT&CK Enterprise TechniquesAI

T1189 Drive-by Compromise Initial Access

Adversaries may gain access to a system through a user visiting a website over the normal course of browsing.

attack.mitre.org →

T1203 Exploitation for Client Execution Execution

Adversaries may exploit software vulnerabilities in client applications to execute code.

attack.mitre.org →

Why these techniques?

The vulnerability enables drive-by compromise (T1189) via crafted HTML pages on malicious websites and exploitation for client execution (T1203) in the Chrome browser sandbox.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop.html
Release Notes, Vendor Advisory · chrome-cve-admin@google.com
https://issues.chromium.org/issues/40073848
Permissions Required · chrome-cve-admin@google.com