CVE-2026-5289
Published: 01 April 2026
Summary
CVE-2026-5289 is a critical-severity Use After Free (CWE-416) vulnerability in Google Chrome. Its CVSS base score is 9.6 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 7.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the use-after-free vulnerability by requiring timely remediation through patching to Chrome 146.0.7680.178 or later.
Implements memory protections such as address space layout randomization and stack guards to prevent exploitation of the use-after-free in the renderer process.
Enforces process isolation to contain damage from a compromised renderer process and limit potential sandbox escapes.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Use-after-free in Chrome renderer Navigation component enables sandbox escape after initial renderer compromise via crafted HTML, directly facilitating exploitation for client execution (T1203) and privilege escalation (T1068) with user interaction on malicious site.
NVD Description
Use after free in Navigation in Google Chrome prior to 146.0.7680.178 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
Deeper analysisAI
CVE-2026-5289 is a use-after-free vulnerability (CWE-416) in the Navigation component of Google Chrome prior to version 146.0.7680.178. Published on 2026-04-01, it carries a CVSS v3.1 base score of 9.6 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H) and is classified as High severity by Chromium security.
The vulnerability allows a remote attacker who has already compromised the renderer process to potentially escape the sandbox via a crafted HTML page. Exploitation requires user interaction, such as visiting a malicious site, but needs no privileges and has low complexity over the network, with changed scope and high impacts on confidentiality, integrity, and availability.
Mitigation is provided in Google Chrome 146.0.7680.178 and later via the stable channel update for desktop, as announced in the Chrome Releases blog at https://chromereleases.googleblog.com/2026/03/stable-channel-update-for-desktop_31.html and detailed in the Chromium issue tracker at https://issues.chromium.org/issues/495931147. Security practitioners should ensure users update to the patched version promptly.
Details
- CWE(s)