Cyber Resilience

CVE-2026-5289

Critical

Published: 01 April 2026

Published
01 April 2026
Modified
01 April 2026
KEV Added
Patch
CVSS Score v3.1 9.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
EPSS Score 0.0027 19.1th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-5289 is a critical-severity Use After Free (CWE-416) vulnerability in Google Chrome. Its CVSS base score is 9.6 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 19.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-5289 is a use-after-free vulnerability (CWE-416) in the Navigation component of Google Chrome prior to version 146.0.7680.178. Published on 2026-04-01, it carries a CVSS v3.1 base score of 9.6 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H) and is classified as High severity by Chromium security.

The vulnerability allows a remote attacker who has already compromised the renderer process to potentially escape the sandbox via a crafted HTML page. Exploitation requires user interaction, such as visiting a malicious site, but needs no privileges and has low complexity over the network, with changed scope and high impacts on confidentiality, integrity, and availability.

Mitigation is provided in Google Chrome 146.0.7680.178 and later via the stable channel update for desktop, as announced in the Chrome Releases blog at https://chromereleases.googleblog.com/2026/03/stable-channel-update-for-desktop_31.html and detailed in the Chromium issue tracker at https://issues.chromium.org/issues/495931147. Security practitioners should ensure users update to the patched version promptly.

EU & UK References

Vulnerability details

Use after free in Navigation in Google Chrome prior to 146.0.7680.178 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
Why these techniques?

Use-after-free in Chrome renderer Navigation component enables sandbox escape after initial renderer compromise via crafted HTML, directly facilitating exploitation for client execution (T1203) and privilege escalation (T1068) with user interaction on malicious site.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-7908Same product: Apple Macos
CVE-2026-6304Same product: Apple Macos
CVE-2026-9901Same product: Apple Macos
CVE-2026-5874Same product: Apple Macos
CVE-2026-8511Same product: Apple Macos
CVE-2026-7991Same product: Apple Macos
CVE-2026-8512Same product: Apple Macos
CVE-2026-9874Same product: Apple Macos
CVE-2026-6309Same product: Apple Macos
CVE-2026-4676Same product: Apple Macos

Affected Assets

google
chrome
≤ 146.0.7680.177

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the use-after-free vulnerability by requiring timely remediation through patching to Chrome 146.0.7680.178 or later.

prevent

Implements memory protections such as address space layout randomization and stack guards to prevent exploitation of the use-after-free in the renderer process.

prevent

Enforces process isolation to contain damage from a compromised renderer process and limit potential sandbox escapes.

References