Cyber Resilience

CVE-2026-5278

High

Published: 01 April 2026

Published
01 April 2026
Modified
01 April 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0041 32.4th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-5278 is a high-severity Use After Free (CWE-416) vulnerability in Google Chrome. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Drive-by Compromise (T1189); ranked at the 32.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-39 (Process Isolation) and SI-16 (Memory Protection).

Deeper analysis

CVE-2026-5278 is a use-after-free vulnerability (CWE-416) in the Web MIDI component of Google Chrome on Android versions prior to 146.0.7680.178. This flaw allows a remote attacker to execute arbitrary code via a crafted HTML page, as reported with Chromium security severity rated High. The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) and was published on 2026-04-01T05:16:01.070.

A remote attacker without privileges can exploit this issue by luring a user to interact with a malicious HTML page over the network, such as by visiting a booby-trapped website. Successful exploitation leads to arbitrary code execution on the affected Android device, potentially compromising confidentiality, integrity, and availability with high impact.

Google's stable channel update addresses the issue in Chrome for Android 146.0.7680.178 and later versions, as detailed in the Chrome Releases blog at https://chromereleases.googleblog.com/2026/03/stable-channel-update-for-desktop_31.html and the Chromium issue tracker at https://issues.chromium.org/issues/490254128. Mitigation requires updating to the patched version, with practitioners recommending immediate upgrades for all affected users.

EU & UK References

Vulnerability details

Use after free in Web MIDI in Google Chrome on Android prior to 146.0.7680.178 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: High)

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1189 Drive-by Compromise Initial Access
Adversaries may gain access to a system through a user visiting a website over the normal course of browsing.
Why these techniques?

The use-after-free in Chrome's Web MIDI on Android enables remote arbitrary code execution via a crafted HTML page on a visited website, directly mapping to Drive-by Compromise for initial access.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-5285Same product: Apple Macos
CVE-2026-9873Same product: Apple Macos
CVE-2026-7357Same product: Apple Macos
CVE-2026-7342Same product: Apple Macos
CVE-2026-4680Same product: Apple Macos
CVE-2026-7355Same product: Apple Macos
CVE-2026-5284Same product: Apple Macos
CVE-2026-7918Same product: Apple Macos
CVE-2026-9992Same product: Apple Macos
CVE-2026-9118Same product: Apple Macos

Affected Assets

google
chrome
≤ 146.0.7680.177

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-2 mandates identification, prioritization, and timely remediation of system flaws, directly preventing exploitation by requiring updates to the patched Chrome version addressing this use-after-free vulnerability.

prevent

SI-16 enforces memory protection mechanisms like ASLR and DEP that directly mitigate use-after-free vulnerabilities by complicating arbitrary code execution from crafted HTML pages.

prevent

SC-39 requires process isolation such as Chrome's renderer sandboxing to confine arbitrary code execution from the vulnerable Web MIDI component, limiting potential damage.

References