CVE-2026-5272

High

Published: 01 April 2026

Published

01 April 2026

Modified

01 April 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Score 0.0003 7.8th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-5272 is a high-severity Heap-based Buffer Overflow (CWE-122) vulnerability in Google Chrome. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 7.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Client Execution (T1203). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

SI-2 requires timely installation of software patches, directly addressing the need to update Google Chrome to version 146.0.7680.178 or later to remediate the GPU heap buffer overflow.

SI-16 Memory Protection good match

prevent

SI-16 implements memory safeguards like ASLR and DEP that prevent exploitation of heap buffer overflows for arbitrary code execution in the Chrome GPU process.

SI-3 Malicious Code Protection partial match

preventdetect

SI-3 deploys malicious code protection to scan and block crafted HTML pages exploiting the GPU vulnerability before or during code execution attempts.

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution

Adversaries may exploit software vulnerabilities in client applications to execute code.

attack.mitre.org →

Why these techniques?

Heap buffer overflow in Chrome browser enables remote arbitrary code execution via crafted HTML page, directly mapping to exploitation for client execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Heap buffer overflow in GPU in Google Chrome prior to 146.0.7680.178 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: High)

Deeper analysisAI

CVE-2026-5272 is a heap buffer overflow vulnerability (CWE-122) in the GPU component of Google Chrome versions prior to 146.0.7680.178. It affects the Chromium-based browser and was published on 2026-04-01 with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), classified as High severity by Chromium security.

A remote attacker can exploit this vulnerability by tricking a user into visiting a crafted HTML page, requiring user interaction but no privileges. Successful exploitation allows arbitrary code execution on the victim's system with high impact on confidentiality, integrity, and availability.

Mitigation details are provided in the Chrome release blog at https://chromereleases.googleblog.com/2026/03/stable-channel-update-for-desktop_31.html and the Chromium issue tracker at https://issues.chromium.org/issues/491732188; users should update to Google Chrome 146.0.7680.178 or later.

Details

CWE(s): CWE-122

Affected Products

google

chrome

≤ 146.0.7680.177

CVEs Like This One

CVE-2025-8879Same product: Apple Macos

CVE-2026-7339Same product: Apple Macos

CVE-2026-3915Same product: Apple Macos

CVE-2026-7353Same product: Apple Macos

CVE-2026-4448Same product: Apple Macos

CVE-2026-6296Same product: Apple Macos

CVE-2026-5275Same product: Apple Macos

CVE-2026-5858Same product: Apple Macos

CVE-2026-4463Same product: Apple Macos

CVE-2026-6306Same product: Apple Macos

References

https://chromereleases.googleblog.com/2026/03/stable-channel-update-for-desktop_31.html
Vendor Advisory · chrome-cve-admin@google.com
https://issues.chromium.org/issues/491732188
Issue Tracking, Permissions Required · chrome-cve-admin@google.com