{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-5873", "assignerOrgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28", "state": "PUBLISHED", "assignerShortName": "Chrome", "dateReserved": "2026-04-08T19:34:35.913Z", "datePublished": "2026-04-08T21:20:45.703Z", "dateUpdated": "2026-04-10T03:55:55.449Z"}, "containers": {"cna": {"affected": [{"vendor": "Google", "product": "Chrome", "versions": [{"version": "147.0.7727.55", "status": "affected", "lessThan": "147.0.7727.55", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "Out of bounds read and write in V8 in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Out of bounds read and write"}]}], "providerMetadata": {"orgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28", "shortName": "Chrome", "dateUpdated": "2026-04-08T21:20:45.703Z"}, "references": [{"url": "https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop.html"}, {"url": "https://issues.chromium.org/issues/496301615"}]}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-09T00:00:00+00:00", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3", "id": "CVE-2026-5873"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-10T03:55:55.449Z"}}]}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Out of bounds read and write in V8 in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)"}], "id": "CVE-2026-5873", "lastModified": "2026-04-08T22:16:26.907", "metrics": {}, "published": "2026-04-08T22:16:26.907", "references": [{"source": "chrome-cve-admin@google.com", "url": "https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop.html"}, {"source": "chrome-cve-admin@google.com", "url": "https://issues.chromium.org/issues/496301615"}], "sourceIdentifier": "chrome-cve-admin@google.com", "vulnStatus": "Received"}

{"bugzilla": {"description": "chromium-browser: Out of bounds read and write in V8", "id": "2456808", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2456808"}, "csaw": false, "cvss3": {"cvss3_base_score": "9.6", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-125", "details": ["Out of bounds read and write in V8 in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)", "An out of bounds read and write flaw was found in the V8 component of the Chromium browser.\nUpstream bug(s):\nhttps://code.google.com/p/chromium/issues/detail?id=496301615"], "name": "CVE-2026-5873", "public_date": "2026-04-07T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-5873\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-5873\nhttps://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop.html\nhttps://issues.chromium.org/issues/496301615"], "statement": "Red Hat Product Security rates the severity of this flaw as determined by the Google Chrome Security Advisory.", "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,147.0.7727.55)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Chrome", "source": "cna", "vendor": "Google"}, "product": "chrome", "vendor": "google"}], "analysis": {"en": {"generated_at": "2026-04-08T22:47:11.639801+00:00", "value": {"mitigation_remediation": ["Update Google Chrome to version 147.0.7727.55 or later.", "Verify that the update was applied by checking the version number in Chrome\u2019s About page."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution via sandbox"}, "threat_synthesis": {"affected_systems": "Chrome browsers running a version earlier than 147.0.7727.55 on any operating system are affected. Users who have not installed the latest stable update are at risk.", "description_and_impact": "V8, the JavaScript engine in Google Chrome, contains an out\u2011of\u2011bounds read and write that allows an attacker to execute arbitrary code inside the browser sandbox through a specially crafted HTML page. The vulnerability is classified as high severity, meaning a successful exploit would compromise the confidentiality, integrity, and availability of the affected system.", "risk_and_exploitability": "The attack vector is remote: an adversary can host a malicious web page that triggers the out\u2011of\u2011bounds memory operation when a user visits it. No CVSS score is supplied, but the designation \u201chigh\u201d indicates significant risk. EPSS data is unavailable, and the vulnerability has not been listed in the CISA KEV catalog. Consequently, the likelihood of exploitation remains uncertain but potentially high given the remote nature of the flaw and the widespread use of Chrome."}}}}, "created": "2026-04-09T08:17:29.535782+00:00", "title": "V8 Out-of-Bounds Read/Write Allows Remote Code Execution via Crafted HTML", "updated": "2026-04-09T08:26:53.072198+00:00", "vendors": ["google", "google$PRODUCT$chrome"], "weaknesses": ["CWE-787"]}