CVE-2026-5884

High

Published: 08 April 2026

Published

08 April 2026

Modified

13 April 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Score 0.0014 33.2th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

Insufficient validation of untrusted input in Media in Google Chrome prior to 147.0.7727.55 allowed a remote attacker who had compromised the renderer process to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium)

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly requires validation and error handling for untrusted input in the Chrome Media component to prevent arbitrary code execution from crafted HTML pages.

SI-2 Flaw Remediation good match

prevent

Mandates timely remediation of the specific input validation flaw by patching Chrome to version 147.0.7727.55 or later.

RA-5 Vulnerability Monitoring and Scanning good match

detect

Facilitates identification of systems with vulnerable Chrome versions through vulnerability scanning, enabling remediation before exploitation.

Security SummaryAI

CVE-2026-5884 involves insufficient validation of untrusted input in the Media component of Google Chrome prior to version 147.0.7727.55. This vulnerability, mapped to CWE-20, was published on 2026-04-08 and carries a Chromium security severity rating of Medium along with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A remote attacker who has compromised the renderer process can exploit this issue via a crafted HTML page to execute arbitrary code inside the sandbox. The attack requires network access, low attack complexity, no privileges, and user interaction, but achieves high impacts on confidentiality, integrity, and availability without scope change.

Mitigation details are provided in the Chrome stable channel update at https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop.html and the associated Chromium issue at https://issues.chromium.org/issues/484547633, which address the flaw in version 147.0.7727.55 and recommend updating to this or later versions.

Details

CWE(s): CWE-20

Affected Products

google

chrome

≤ 147.0.7727.55

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution

Adversaries may exploit software vulnerabilities in client applications to execute code.

attack.mitre.org →

T1189 Drive-by Compromise Initial Access

Adversaries may gain access to a system through a user visiting a website over the normal course of browsing.

attack.mitre.org →

Why these techniques?

The vulnerability enables arbitrary code execution in the Chrome renderer sandbox via a crafted HTML page requiring user interaction, directly facilitating Exploitation for Client Execution (T1203) and Drive-by Compromise (T1189).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop.html
Release Notes, Vendor Advisory · chrome-cve-admin@google.com
https://issues.chromium.org/issues/484547633
Issue Tracking, Permissions Required · chrome-cve-admin@google.com