Cyber Resilience

CVE-2026-5870

High

Published: 08 April 2026

Published
08 April 2026
Modified
13 April 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0030 21.8th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-5870 is a high-severity External Control of Assumed-Immutable Web Parameter (CWE-472) vulnerability in Google Chrome. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Drive-by Compromise (T1189); ranked at the 21.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-5870 is an integer overflow vulnerability in the Skia graphics library within Google Chrome prior to version 147.0.7727.55. This issue, mapped to CWE-190 (Integer Overflow or Wraparound) and CWE-472 (External Control of Assumed-Immutable Web Parameter), carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) and is rated High severity by Chromium. Published on 2026-04-08, it allows a remote attacker to execute arbitrary code inside the browser's sandbox through a crafted HTML page.

The attack requires no privileges and low complexity, with a remote attacker (AV:N/PR:N) enticing a user to interact with a malicious site (AC:L/UI:R). Exploitation results in arbitrary code execution confined to the sandbox (S:U), yielding high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H).

Mitigation is addressed in the Chrome stable channel update for desktop, as detailed in the Chrome Releases blog at https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop.html, and the upstream fix in Chromium issue 495534710 at https://issues.chromium.org/issues/495534710. Users should update to Google Chrome 147.0.7727.55 or later to patch the vulnerability.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Integer overflow in Skia in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1189 Drive-by Compromise Initial Access
Adversaries may gain access to a system through a user visiting a website over the normal course of browsing.
T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
Why these techniques?

The vulnerability enables drive-by compromise (T1189) and exploitation for client execution (T1203) via crafted HTML in a browser, leading to sandboxed arbitrary code execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-3536Same product: Apple Macos
CVE-2026-3914Same product: Apple Macos
CVE-2026-4679Same product: Apple Macos
CVE-2026-4464Same product: Apple Macos
CVE-2025-10892Same product: Apple Macos
CVE-2025-10891Same product: Apple Macos
CVE-2026-9968Same product: Apple Macos
CVE-2026-9882Same product: Apple Macos
CVE-2026-7896Same product: Apple Macos
CVE-2026-5274Same product: Apple Macos

Affected Assets

google
chrome
≤ 147.0.7727.55

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the integer overflow in Skia by requiring timely patching to Chrome 147.0.7727.55 or later.

prevent

Provides memory protection mechanisms like ASLR and DEP that hinder arbitrary code execution resulting from the integer overflow.

prevent

Validates crafted HTML inputs to prevent triggering the integer overflow vulnerability in the Skia graphics library.

References