CVE-2026-5904
Published: 08 April 2026
Summary
CVE-2026-5904 is a high-severity Use After Free (CWE-416) vulnerability in Google Chrome. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 9.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-11 (User-installed Software) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires identification, reporting, and timely remediation of the use-after-free flaw in Chrome's V8 engine via patching to version 147.0.7727.55 or later.
Enforces organizational policies to manage and restrict user installation of unapproved software, preventing deployment of the malicious Chrome extension required to trigger the vulnerability.
Implements memory protections such as DEP and ASLR to mitigate exploitation of the heap corruption resulting from the use-after-free condition in V8.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Use-after-free in Chrome V8 enables RCE in renderer via malicious extension triggering crafted content.
NVD Description
Use after free in V8 in Google Chrome prior to 147.0.7727.55 allowed an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via a crafted Chrome Extension. (Chromium security severity: Low)
Deeper analysisAI
CVE-2026-5904 is a use-after-free vulnerability (CWE-416) in the V8 JavaScript and WebAssembly engine within Google Chrome versions prior to 147.0.7727.55. This flaw allows potential heap corruption when processing crafted inputs, as detailed in the Chromium security advisory with a severity rating of Low despite a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).
An attacker can exploit this vulnerability by convincing a targeted user to install a malicious Chrome extension. Once installed, the extension can trigger the use-after-free condition through specially crafted content, leading to heap corruption. Successful exploitation could result in arbitrary code execution with the privileges of the Chrome renderer process, potentially compromising confidentiality, integrity, and availability of the affected system.
Mitigation is available via the stable channel update for Chrome desktop, as announced in the Chrome Releases blog post at https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop.html. Users should update to Google Chrome 147.0.7727.55 or later. Additional technical details are provided in the Chromium issue tracker at https://issues.chromium.org/issues/483851888.
Details
- CWE(s)