CVE-2026-5870
Published: 08 April 2026
Summary
CVE-2026-5870 is a high-severity External Control of Assumed-Immutable Web Parameter (CWE-472) vulnerability in Google Chrome. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Drive-by Compromise (T1189); ranked at the 29.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the integer overflow in Skia by requiring timely patching to Chrome 147.0.7727.55 or later.
Provides memory protection mechanisms like ASLR and DEP that hinder arbitrary code execution resulting from the integer overflow.
Validates crafted HTML inputs to prevent triggering the integer overflow vulnerability in the Skia graphics library.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables drive-by compromise (T1189) and exploitation for client execution (T1203) via crafted HTML in a browser, leading to sandboxed arbitrary code execution.
NVD Description
Integer overflow in Skia in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Deeper analysisAI
CVE-2026-5870 is an integer overflow vulnerability in the Skia graphics library within Google Chrome prior to version 147.0.7727.55. This issue, mapped to CWE-190 (Integer Overflow or Wraparound) and CWE-472 (External Control of Assumed-Immutable Web Parameter), carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) and is rated High severity by Chromium. Published on 2026-04-08, it allows a remote attacker to execute arbitrary code inside the browser's sandbox through a crafted HTML page.
The attack requires no privileges and low complexity, with a remote attacker (AV:N/PR:N) enticing a user to interact with a malicious site (AC:L/UI:R). Exploitation results in arbitrary code execution confined to the sandbox (S:U), yielding high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H).
Mitigation is addressed in the Chrome stable channel update for desktop, as detailed in the Chrome Releases blog at https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop.html, and the upstream fix in Chromium issue 495534710 at https://issues.chromium.org/issues/495534710. Users should update to Google Chrome 147.0.7727.55 or later to patch the vulnerability.
Details
- CWE(s)