CVE-2026-5913
Published: 08 April 2026
Summary
CVE-2026-5913 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Google Chrome. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Drive-by Compromise (T1189); ranked at the 10.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-39 (Process Isolation) and SI-16 (Memory Protection).
Deeper analysis
CVE-2026-5913 is an out-of-bounds read vulnerability (CWE-125) in the Blink rendering engine within Google Chrome versions prior to 147.0.7727.55. The issue enables a remote attacker to perform an out-of-bounds memory read through a crafted HTML page. It carries a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H), despite being rated as low severity by Chromium security standards.
A remote attacker without privileges can exploit this vulnerability by luring a user to interact with a maliciously crafted HTML page, such as by visiting a website. Successful exploitation allows high confidentiality impact via unauthorized memory disclosure and high availability impact, potentially leading to browser crashes, with no integrity compromise.
The Chrome Releases blog announces the stable channel update for desktop to version 147.0.7727.55, which patches this vulnerability. Additional details on the issue and fix are available in the Chromium bug tracker at issues.chromium.org/issues/487195286.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-20746
Vulnerability details
Out of bounds read in Blink in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. (Chromium security severity: Low)
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables exploitation via a crafted HTML page visited by the user (drive-by), directly mapping to Drive-by Compromise (T1189) for initial access and memory disclosure.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Timely application of the Chrome patch to version 147.0.7727.55 directly remediates the out-of-bounds read vulnerability in the Blink rendering engine.
Implements memory protections such as ASLR, DEP, and stack canaries to minimize the impact and prevent successful exploitation of out-of-bounds memory reads in Blink.
Isolates Blink renderer processes in a sandbox to contain the effects of the out-of-bounds read, preventing unauthorized access to system resources.