{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-5877", "assignerOrgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28", "state": "PUBLISHED", "assignerShortName": "Chrome", "dateReserved": "2026-04-08T19:34:36.847Z", "datePublished": "2026-04-08T21:20:47.756Z", "dateUpdated": "2026-04-08T21:20:47.756Z"}, "containers": {"cna": {"affected": [{"vendor": "Google", "product": "Chrome", "versions": [{"version": "147.0.7727.55", "status": "affected", "lessThan": "147.0.7727.55", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "Use after free in Navigation in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium)"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Use after free", "cweId": "CWE-416"}]}], "providerMetadata": {"orgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28", "shortName": "Chrome", "dateUpdated": "2026-04-08T21:20:47.756Z"}, "references": [{"url": "https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop.html"}, {"url": "https://issues.chromium.org/issues/333024273"}]}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Use after free in Navigation in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium)"}], "id": "CVE-2026-5877", "lastModified": "2026-04-08T22:16:27.323", "metrics": {}, "published": "2026-04-08T22:16:27.323", "references": [{"source": "chrome-cve-admin@google.com", "url": "https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop.html"}, {"source": "chrome-cve-admin@google.com", "url": "https://issues.chromium.org/issues/333024273"}], "sourceIdentifier": "chrome-cve-admin@google.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-416"}], "source": "chrome-cve-admin@google.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[147.0.7727.55,147.0.7727.55)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Chrome", "source": "cna", "vendor": "Google"}, "product": "chrome", "vendor": "google"}], "analysis": {"en": {"generated_at": "2026-04-08T22:45:37.510634+00:00", "value": {"mitigation_remediation": ["Upgrade Google Chrome to build 147.0.7727.55 or newer", "Enable automatic updates to receive future patches promptly"], "summary": {"action": "Patch Now", "impact": "Remote code execution"}, "threat_synthesis": {"affected_systems": "Google Chrome versions earlier than 147.0.7727.55 are affected. All platforms that run Chrome before this build\u2014including Windows, macOS, Linux, and Chrome\u2011based browsers on those operating systems\u2014may be vulnerable to the flaw when visiting a malicious page.", "description_and_impact": "A use\u2011after\u2011free flaw in Chrome\u2019s navigation code lets a crafted web page free an object and subsequently reuse it, causing arbitrary code to run inside the browser\u2019s sandbox. The weakness directly supports execution of attacker\u2011supplied instructions and is classified as CWE\u2011416. This single vulnerability can compromise the confidentiality and integrity of the user\u2019s system by allowing any code the browser is permitted to run.", "risk_and_exploitability": "The flaw is exploitable remotely via a crafted HTML page that a user can open or visit over the internet. No special privileges are required beyond normal browser usage, and the attack occurs within the sandbox environment. The vulnerability carries a medium severity rating and is not listed in the CISA KEV catalog; its EPSS score is currently unavailable. The attack vector is inferred from the description of a remote attacker serving a malicious page to the browser."}}}}, "created": "2026-04-09T08:17:25.530386+00:00", "title": "Use-After-Free in Chrome Navigation Enables Remote Code Execution", "updated": "2026-04-09T08:26:48.995480+00:00", "vendors": ["google", "google$PRODUCT$chrome"]}