CVE-2026-5860

High

Published: 08 April 2026

Published

08 April 2026

Modified

13 April 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Score 0.0013 32.5th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-5860 is a high-severity Use After Free (CWE-416) vulnerability in Google Chrome. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 32.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Client Execution (T1203). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Mandates timely identification, reporting, and correction of flaws such as the WebRTC use-after-free vulnerability through patching to Chrome 147.0.7727.55.

SI-16 Memory Protection good match

prevent

Implements memory protection mechanisms like ASLR and DEP that directly mitigate exploitation of use-after-free vulnerabilities in browser components.

RA-5 Vulnerability Monitoring and Scanning partial match

detect

Requires vulnerability scanning to identify systems running vulnerable Chrome versions affected by CVE-2026-5860, enabling prompt remediation.

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution

Adversaries may exploit software vulnerabilities in client applications to execute code.

attack.mitre.org →

Why these techniques?

The vulnerability is a use-after-free in Chrome's WebRTC exploited via a malicious HTML page, enabling arbitrary code execution in the browser sandbox, directly mapping to Exploitation for Client Execution (T1203).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

Use after free in WebRTC in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

Deeper analysisAI

CVE-2026-5860 is a use-after-free vulnerability (CWE-416) in the WebRTC component of Google Chrome prior to version 147.0.7727.55. Published on 2026-04-08, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) and is classified as High severity by Chromium security.

A remote attacker can exploit this issue by crafting an HTML page that triggers the use-after-free condition in WebRTC. Exploitation requires user interaction, such as visiting the malicious page, and enables the attacker to execute arbitrary code within the browser's sandbox.

Google addressed the vulnerability in Chrome stable channel update 147.0.7727.55, as detailed in the Chrome Releases blog post (https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop.html) and the associated Chromium issue tracker entry (https://issues.chromium.org/issues/486495143). Users should update to the patched version to mitigate the risk.

Details

CWE(s): CWE-416

Affected Products

google

chrome

≤ 147.0.7727.55

CVEs Like This One

CVE-2026-3921Same product: Apple Macos

CVE-2025-13638Same product: Apple Macos

CVE-2026-7348Same product: Apple Macos

CVE-2025-8578Same product: Apple Macos

CVE-2026-7338Same product: Apple Macos

CVE-2026-7940Same product: Apple Macos

CVE-2026-3919Same product: Apple Macos

CVE-2025-14765Same product: Apple Macos

CVE-2026-2321Same product: Apple Macos

CVE-2025-11460Same product: Apple Macos

References

https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop.html
Release Notes, Vendor Advisory · chrome-cve-admin@google.com
https://issues.chromium.org/issues/486495143
Permissions Required · chrome-cve-admin@google.com