Cyber Resilience

CVE-2026-5914

High

Published: 08 April 2026

Published
08 April 2026
Modified
14 April 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0016 5.9th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-5914 is a high-severity Type Confusion (CWE-843) vulnerability in Google Chrome. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 5.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-11 (User-installed Software) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-5914 is a type confusion vulnerability (CWE-843) in the CSS component of Google Chrome prior to version 147.0.7727.55. Published on 2026-04-08, it enables potential heap corruption through a crafted Chrome Extension. Despite Chromium classifying it as low severity, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

An attacker can exploit this vulnerability by convincing a targeted user to install a malicious Chrome Extension, which triggers the type confusion and heap corruption. No special privileges are required, and the attack is network-accessible with low complexity, though it relies on user interaction for extension installation. Successful exploitation could result in high-impact compromise of confidentiality, integrity, and availability, potentially leading to arbitrary code execution within the browser context.

Mitigation is available via the Google Chrome stable channel update to version 147.0.7727.55 or later, as announced in the Chrome Releases blog at https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop.html and detailed in the Chromium issue tracker at https://issues.chromium.org/issues/490023239. Security practitioners should prioritize updating affected systems and advise users against installing untrusted extensions.

EU & UK References

Vulnerability details

Type Confusion in CSS in Google Chrome prior to 147.0.7727.55 allowed an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via a crafted Chrome Extension. (Chromium security severity: Low)

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
Why these techniques?

The type confusion vulnerability in Chrome directly enables exploitation for client execution, as a crafted malicious extension can trigger heap corruption leading to arbitrary code execution in the browser context.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-7337Same product: Apple Macos
CVE-2025-13226Same product: Apple Macos
CVE-2025-10585Same product: Apple Macos
CVE-2026-1862Same product: Apple Macos
CVE-2025-13230Same product: Apple Macos
CVE-2025-13229Same product: Apple Macos
CVE-2026-7988Same product: Apple Macos
CVE-2026-7927Same product: Apple Macos
CVE-2026-4457Same product: Apple Macos
CVE-2025-13224Same product: Apple Macos

Affected Assets

google
chrome
≤ 147.0.7727.55

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-2 mandates timely flaw remediation, directly mitigating the CSS type confusion vulnerability by requiring updates to Chrome version 147.0.7727.55 or later.

prevent

CM-11 restricts user-installed software, preventing the installation of the malicious Chrome Extension needed to trigger the heap corruption.

preventdetect

SI-3 deploys malicious code protection mechanisms that can scan for and block harmful extensions exploiting the type confusion in CSS.

References