CVE-2026-5913

High

Published: 08 April 2026

Published

08 April 2026

Modified

14 April 2026

KEV Added

—

Patch

—

CVSS Score 8.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H

EPSS Score 0.0009 26.0th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-5913 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Google Chrome. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Drive-by Compromise (T1189); ranked at the 26.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-39 (Process Isolation) and SI-16 (Memory Protection).

Threat & Defense at a Glance

What attackers do: exploitation maps to Drive-by Compromise (T1189). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Timely application of the Chrome patch to version 147.0.7727.55 directly remediates the out-of-bounds read vulnerability in the Blink rendering engine.

SI-16 Memory Protection good match

prevent

Implements memory protections such as ASLR, DEP, and stack canaries to minimize the impact and prevent successful exploitation of out-of-bounds memory reads in Blink.

SC-39 Process Isolation good match

prevent

Isolates Blink renderer processes in a sandbox to contain the effects of the out-of-bounds read, preventing unauthorized access to system resources.

MITRE ATT&CK Enterprise TechniquesAI

T1189 Drive-by Compromise Initial Access

Adversaries may gain access to a system through a user visiting a website over the normal course of browsing.

attack.mitre.org →

Why these techniques?

The vulnerability enables exploitation via a crafted HTML page visited by the user (drive-by), directly mapping to Drive-by Compromise (T1189) for initial access and memory disclosure.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Out of bounds read in Blink in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. (Chromium security severity: Low)

Deeper analysisAI

CVE-2026-5913 is an out-of-bounds read vulnerability (CWE-125) in the Blink rendering engine within Google Chrome versions prior to 147.0.7727.55. The issue enables a remote attacker to perform an out-of-bounds memory read through a crafted HTML page. It carries a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H), despite being rated as low severity by Chromium security standards.

A remote attacker without privileges can exploit this vulnerability by luring a user to interact with a maliciously crafted HTML page, such as by visiting a website. Successful exploitation allows high confidentiality impact via unauthorized memory disclosure and high availability impact, potentially leading to browser crashes, with no integrity compromise.

The Chrome Releases blog announces the stable channel update for desktop to version 147.0.7727.55, which patches this vulnerability. Additional details on the issue and fix are available in the Chromium bug tracker at issues.chromium.org/issues/487195286.

Details

CWE(s): CWE-125

Affected Products

google

chrome

≤ 147.0.7727.55

CVEs Like This One

CVE-2026-3061Same product: Apple Macos

CVE-2026-5282Same product: Apple Macos

CVE-2026-4462Same product: Apple Macos

CVE-2026-4674Same product: Apple Macos

CVE-2026-3540Same product: Apple Macos

CVE-2026-4677Same product: Apple Macos

CVE-2026-3926Same product: Apple Macos

CVE-2026-4460Same product: Apple Macos

CVE-2026-5292Same product: Apple Macos

CVE-2026-4439Same product: Apple Macos

References

https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop.html
Release Notes, Vendor Advisory · chrome-cve-admin@google.com
https://issues.chromium.org/issues/487195286
Permissions Required · chrome-cve-admin@google.com