Cyber Resilience

CVE-2026-5913

High

Published: 08 April 2026

Published
08 April 2026
Modified
14 April 2026
KEV Added
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H
EPSS Score 0.0021 10.4th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-5913 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Google Chrome. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Drive-by Compromise (T1189); ranked at the 10.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-39 (Process Isolation) and SI-16 (Memory Protection).

Deeper analysis

CVE-2026-5913 is an out-of-bounds read vulnerability (CWE-125) in the Blink rendering engine within Google Chrome versions prior to 147.0.7727.55. The issue enables a remote attacker to perform an out-of-bounds memory read through a crafted HTML page. It carries a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H), despite being rated as low severity by Chromium security standards.

A remote attacker without privileges can exploit this vulnerability by luring a user to interact with a maliciously crafted HTML page, such as by visiting a website. Successful exploitation allows high confidentiality impact via unauthorized memory disclosure and high availability impact, potentially leading to browser crashes, with no integrity compromise.

The Chrome Releases blog announces the stable channel update for desktop to version 147.0.7727.55, which patches this vulnerability. Additional details on the issue and fix are available in the Chromium bug tracker at issues.chromium.org/issues/487195286.

EU & UK References

Vulnerability details

Out of bounds read in Blink in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. (Chromium security severity: Low)

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1189 Drive-by Compromise Initial Access
Adversaries may gain access to a system through a user visiting a website over the normal course of browsing.
Why these techniques?

The vulnerability enables exploitation via a crafted HTML page visited by the user (drive-by), directly mapping to Drive-by Compromise (T1189) for initial access and memory disclosure.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-5282Same product: Apple Macos
CVE-2026-9953Same product: Apple Macos
CVE-2026-3061Same product: Apple Macos
CVE-2026-4460Same product: Apple Macos
CVE-2026-9121Same product: Apple Macos
CVE-2026-4439Same product: Apple Macos
CVE-2026-4674Same product: Apple Macos
CVE-2026-4462Same product: Apple Macos
CVE-2026-4677Same product: Apple Macos
CVE-2026-5292Same product: Apple Macos

Affected Assets

google
chrome
≤ 147.0.7727.55

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Timely application of the Chrome patch to version 147.0.7727.55 directly remediates the out-of-bounds read vulnerability in the Blink rendering engine.

prevent

Implements memory protections such as ASLR, DEP, and stack canaries to minimize the impact and prevent successful exploitation of out-of-bounds memory reads in Blink.

prevent

Isolates Blink renderer processes in a sandbox to contain the effects of the out-of-bounds read, preventing unauthorized access to system resources.

References