CVE-2026-5884
Published: 08 April 2026
Summary
CVE-2026-5884 is a high-severity Improper Input Validation (CWE-20) vulnerability in Google Chrome. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 35.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires validation and error handling for untrusted input in the Chrome Media component to prevent arbitrary code execution from crafted HTML pages.
Mandates timely remediation of the specific input validation flaw by patching Chrome to version 147.0.7727.55 or later.
Facilitates identification of systems with vulnerable Chrome versions through vulnerability scanning, enabling remediation before exploitation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables arbitrary code execution in the Chrome renderer sandbox via a crafted HTML page requiring user interaction, directly facilitating Exploitation for Client Execution (T1203) and Drive-by Compromise (T1189).
NVD Description
Insufficient validation of untrusted input in Media in Google Chrome prior to 147.0.7727.55 allowed a remote attacker who had compromised the renderer process to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium)
Deeper analysisAI
CVE-2026-5884 involves insufficient validation of untrusted input in the Media component of Google Chrome prior to version 147.0.7727.55. This vulnerability, mapped to CWE-20, was published on 2026-04-08 and carries a Chromium security severity rating of Medium along with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).
A remote attacker who has compromised the renderer process can exploit this issue via a crafted HTML page to execute arbitrary code inside the sandbox. The attack requires network access, low attack complexity, no privileges, and user interaction, but achieves high impacts on confidentiality, integrity, and availability without scope change.
Mitigation details are provided in the Chrome stable channel update at https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop.html and the associated Chromium issue at https://issues.chromium.org/issues/484547633, which address the flaw in version 147.0.7727.55 and recommend updating to this or later versions.
Details
- CWE(s)