CVE-2026-5910
Published: 08 April 2026
Summary
CVE-2026-5910 is a high-severity External Control of Assumed-Immutable Web Parameter (CWE-472) vulnerability in Google Chrome. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 26.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mandates timely remediation of software flaws like the integer overflow in Chrome's Media component via patching to version 147.0.7727.55.
Implements memory protection mechanisms such as ASLR and DEP to mitigate heap corruption from integer overflows during crafted video processing.
Requires validation of information inputs like crafted video files to prevent integer overflows in the Media component.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is an integer overflow in Chrome's media handling that triggers heap corruption when processing a crafted video file. Exploitation requires user interaction to open the malicious file, directly enabling client-side code execution (T1203) via a malicious file (T1204.002).
NVD Description
Integer overflow in Media in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to potentially exploit heap corruption via a crafted video file. (Chromium security severity: Low)
Deeper analysisAI
CVE-2026-5910 is an integer overflow vulnerability (CWE-472) in the Media component of Google Chrome prior to version 147.0.7727.55. Published on 2026-04-08, the flaw enables a remote attacker to potentially trigger heap corruption by processing a crafted video file. Chromium rates its security severity as Low, though the CVSS v3.1 base score is 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).
A remote attacker can exploit this vulnerability over the network with low attack complexity and no privileges required, but it depends on user interaction such as opening a malicious video file in an affected Chrome browser. Successful exploitation could lead to high-impact compromise of confidentiality, integrity, and availability, potentially allowing arbitrary code execution or other severe effects via heap corruption.
The Chrome Releases blog announces the stable channel update for desktop to version 147.0.7727.55, which patches this issue. Additional technical details and the fix are documented in the Chromium issue tracker at https://issues.chromium.org/issues/485212874.
Details
- CWE(s)