{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-5858", "assignerOrgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28", "state": "PUBLISHED", "assignerShortName": "Chrome", "dateReserved": "2026-04-08T19:34:31.447Z", "datePublished": "2026-04-08T21:20:38.772Z", "dateUpdated": "2026-04-10T03:55:35.775Z"}, "containers": {"cna": {"affected": [{"vendor": "Google", "product": "Chrome", "versions": [{"version": "147.0.7727.55", "status": "affected", "lessThan": "147.0.7727.55", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "Heap buffer overflow in WebML in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: Critical)"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Heap buffer overflow", "cweId": "CWE-122"}]}], "providerMetadata": {"orgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28", "shortName": "Chrome", "dateUpdated": "2026-04-08T21:20:38.772Z"}, "references": [{"url": "https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop.html"}, {"url": "https://issues.chromium.org/issues/493319454"}]}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-09T00:00:00+00:00", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3", "id": "CVE-2026-5858"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-10T03:55:35.775Z"}}]}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Heap buffer overflow in WebML in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: Critical)"}], "id": "CVE-2026-5858", "lastModified": "2026-04-08T22:16:25.253", "metrics": {}, "published": "2026-04-08T22:16:25.253", "references": [{"source": "chrome-cve-admin@google.com", "url": "https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop.html"}, {"source": "chrome-cve-admin@google.com", "url": "https://issues.chromium.org/issues/493319454"}], "sourceIdentifier": "chrome-cve-admin@google.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-122"}], "source": "chrome-cve-admin@google.com", "type": "Primary"}]}

{"bugzilla": {"description": "Google Chrome: WebML: Chromium: Google Chrome: Arbitrary code execution via heap buffer overflow in WebML", "id": "2456793", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2456793"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.8", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-131", "details": ["A flaw was found in WebML in Google Chrome. A remote attacker could exploit a heap buffer overflow vulnerability by enticing a user to visit a specially crafted HTML page. Successful exploitation of this memory corruption flaw could allow the attacker to execute arbitrary code on the affected system, leading to a complete compromise."], "name": "CVE-2026-5858", "public_date": "2026-04-08T21:20:38Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-5858\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-5858\nhttps://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop.html\nhttps://issues.chromium.org/issues/493319454"], "statement": "Red Hat Product Security rates the severity of this flaw as determined by the Google Chrome Security Advisory.", "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[147.0.7727.55,147.0.7727.55)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Chrome", "source": "cna", "vendor": "Google"}, "product": "chrome", "vendor": "google"}], "analysis": {"en": {"generated_at": "2026-04-10T01:24:54.248430+00:00", "value": {"mitigation_remediation": ["Update Google Chrome to version 147.0.7727.55 or newer.", "If an upgrade cannot be applied immediately, disable the WebML feature through Chrome policy or a command\u2011line flag.", "Monitor for anomalous activity or unauthorized code execution within the browser environment."], "summary": {"action": "Patch Now", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "Affected users are those running Google Chrome before version 147.0.7727.55. Any stable channel build released prior to the April 2026 update is vulnerable. No other vendors or products are listed as impacted.", "description_and_impact": "A heap buffer overflow in the WebML component of Google Chrome enables a remote attacker to execute arbitrary code by loading a specially crafted HTML page. The flaw arises when the WebML API performs an unchecked write to a heap buffer, allowing memory corruption that an attacker can exploit to gain full privileges within the browser process. This vulnerability corresponds to CWE\u2011122 and CWE\u2011131, highlighting unchecked buffer writes and improper bounds checks.", "risk_and_exploitability": "The CVSS score of 8.8 indicates high severity, while the EPSS score of less than 1% suggests a low probability of exploitation in the wild. Nonetheless, the critical nature of remote code execution warrants immediate action. Attackers would need to entice a user to open a malicious HTML page in Chrome; no additional privilege escalation is required beyond user interaction. The flaw is not listed in the CISA KEV catalog, but its impact is sufficient for urgent mitigation."}}}}, "created": "2026-04-09T08:17:44.571456+00:00", "updated": "2026-04-10T09:40:31.609338+00:00", "vendors": ["google", "google$PRODUCT$chrome"]}