CVE-2026-5274
Published: 01 April 2026
Summary
CVE-2026-5274 is a high-severity External Control of Assumed-Immutable Web Parameter (CWE-472) vulnerability in Google Chrome. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Drive-by Compromise (T1189); ranked at the 7.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-39 (Process Isolation) and SI-16 (Memory Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Timely identification, reporting, and correction of the integer overflow flaw in Chrome's Codecs directly prevents arbitrary read/write exploitation via crafted HTML pages.
Memory protection techniques such as address space layout randomization and data execution prevention mitigate integer overflow vulnerabilities by restricting unauthorized memory read/write access.
Process isolation enforces sandboxing in browsers like Chrome, containing potential arbitrary read/write exploits within the affected renderer process to prevent broader system compromise.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is an integer overflow in Chrome allowing arbitrary read/write via crafted HTML page on a malicious site, directly enabling drive-by compromise of the browser (T1189) and exploitation of client application for code execution (T1203).
NVD Description
Integer overflow in Codecs in Google Chrome prior to 146.0.7680.178 allowed a remote attacker to perform arbitrary read/write via a crafted HTML page. (Chromium security severity: High)
Deeper analysisAI
CVE-2026-5274 is an integer overflow vulnerability in the Codecs component of Google Chrome versions prior to 146.0.7680.178. The flaw, classified under CWE-472, enables a remote attacker to perform arbitrary read and write operations through a specially crafted HTML page. It carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) and is rated High severity by Chromium security.
A remote attacker can exploit this vulnerability by tricking a user into visiting a malicious website hosting the crafted HTML page, as it requires user interaction but no special privileges. Successful exploitation grants arbitrary read/write capabilities, potentially allowing full compromise of the affected browser process with high impacts on confidentiality, integrity, and availability.
Mitigation is provided in Google Chrome 146.0.7680.178 and later versions, as detailed in the Chrome stable channel update release notes at https://chromereleases.googleblog.com/2026/03/stable-channel-update-for-desktop_31.html and the associated Chromium issue tracker at https://issues.chromium.org/issues/488596746. Security practitioners should ensure users update to the patched version promptly.
Details
- CWE(s)