CVE-2026-5859
Published: 08 April 2026
Summary
CVE-2026-5859 is a high-severity External Control of Assumed-Immutable Web Parameter (CWE-472) vulnerability in Google Chrome. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Drive-by Compromise (T1189); ranked at the 24.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-39 (Process Isolation) and SI-16 (Memory Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mandates timely patching of the integer overflow vulnerability in Chrome's WebML to version 147.0.7727.55 or later, eliminating the heap corruption risk.
Implements memory protections such as ASLR, DEP, and stack canaries that prevent successful exploitation of heap corruption triggered by the WebML integer overflow.
Enforces process isolation through Chrome's sandboxing, confining heap corruption from WebML within renderer processes to block escalation to system compromise.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Integer overflow leading to heap corruption via crafted HTML page directly enables drive-by compromise (T1189) through malicious webpage visits and exploitation for client execution (T1203) in browser software.
NVD Description
Integer overflow in WebML in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Critical)
Deeper analysisAI
CVE-2026-5859 is an integer overflow vulnerability (CWE-472) in the WebML component of Google Chrome prior to version 147.0.7727.55. Published on 2026-04-08, it enables a remote attacker to potentially exploit heap corruption through a crafted HTML page. The issue carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) and is rated Critical by Chromium security.
A remote attacker with network access can exploit this vulnerability with low attack complexity and no required privileges, though user interaction is necessary, such as a user visiting a malicious webpage. Exploitation could achieve high impacts on confidentiality, integrity, and availability by triggering heap corruption.
Google's Chrome Releases blog (https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop.html) details the stable channel update addressing this issue, while the Chromium bug tracker (https://issues.chromium.org/issues/494158331) provides further technical information. Mitigation requires updating affected Google Chrome installations to version 147.0.7727.55 or later.
Details
- CWE(s)