CVE-2026-5914
Published: 08 April 2026
Summary
CVE-2026-5914 is a high-severity Type Confusion (CWE-843) vulnerability in Google Chrome. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 7.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-11 (User-installed Software) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-2 mandates timely flaw remediation, directly mitigating the CSS type confusion vulnerability by requiring updates to Chrome version 147.0.7727.55 or later.
CM-11 restricts user-installed software, preventing the installation of the malicious Chrome Extension needed to trigger the heap corruption.
SI-3 deploys malicious code protection mechanisms that can scan for and block harmful extensions exploiting the type confusion in CSS.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The type confusion vulnerability in Chrome directly enables exploitation for client execution, as a crafted malicious extension can trigger heap corruption leading to arbitrary code execution in the browser context.
NVD Description
Type Confusion in CSS in Google Chrome prior to 147.0.7727.55 allowed an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via a crafted Chrome Extension. (Chromium security severity: Low)
Deeper analysisAI
CVE-2026-5914 is a type confusion vulnerability (CWE-843) in the CSS component of Google Chrome prior to version 147.0.7727.55. Published on 2026-04-08, it enables potential heap corruption through a crafted Chrome Extension. Despite Chromium classifying it as low severity, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).
An attacker can exploit this vulnerability by convincing a targeted user to install a malicious Chrome Extension, which triggers the type confusion and heap corruption. No special privileges are required, and the attack is network-accessible with low complexity, though it relies on user interaction for extension installation. Successful exploitation could result in high-impact compromise of confidentiality, integrity, and availability, potentially leading to arbitrary code execution within the browser context.
Mitigation is available via the Google Chrome stable channel update to version 147.0.7727.55 or later, as announced in the Chrome Releases blog at https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop.html and detailed in the Chromium issue tracker at https://issues.chromium.org/issues/490023239. Security practitioners should prioritize updating affected systems and advise users against installing untrusted extensions.
Details
- CWE(s)