CVE-2026-5278
Published: 01 April 2026
Summary
CVE-2026-5278 is a high-severity Use After Free (CWE-416) vulnerability in Google Chrome. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Drive-by Compromise (T1189); ranked at the 7.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-39 (Process Isolation) and SI-16 (Memory Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-2 mandates identification, prioritization, and timely remediation of system flaws, directly preventing exploitation by requiring updates to the patched Chrome version addressing this use-after-free vulnerability.
SI-16 enforces memory protection mechanisms like ASLR and DEP that directly mitigate use-after-free vulnerabilities by complicating arbitrary code execution from crafted HTML pages.
SC-39 requires process isolation such as Chrome's renderer sandboxing to confine arbitrary code execution from the vulnerable Web MIDI component, limiting potential damage.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The use-after-free in Chrome's Web MIDI on Android enables remote arbitrary code execution via a crafted HTML page on a visited website, directly mapping to Drive-by Compromise for initial access.
NVD Description
Use after free in Web MIDI in Google Chrome on Android prior to 146.0.7680.178 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: High)
Deeper analysisAI
CVE-2026-5278 is a use-after-free vulnerability (CWE-416) in the Web MIDI component of Google Chrome on Android versions prior to 146.0.7680.178. This flaw allows a remote attacker to execute arbitrary code via a crafted HTML page, as reported with Chromium security severity rated High. The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) and was published on 2026-04-01T05:16:01.070.
A remote attacker without privileges can exploit this issue by luring a user to interact with a malicious HTML page over the network, such as by visiting a booby-trapped website. Successful exploitation leads to arbitrary code execution on the affected Android device, potentially compromising confidentiality, integrity, and availability with high impact.
Google's stable channel update addresses the issue in Chrome for Android 146.0.7680.178 and later versions, as detailed in the Chrome Releases blog at https://chromereleases.googleblog.com/2026/03/stable-channel-update-for-desktop_31.html and the Chromium issue tracker at https://issues.chromium.org/issues/490254128. Mitigation requires updating to the patched version, with practitioners recommending immediate upgrades for all affected users.
Details
- CWE(s)