Planned Fix

CVE-2026-5858

Chrome WebML heap buffer overflow RCE
Loading...

Summary

Google Chrome's WebML component contains a heap-based buffer overflow triggered by crafted HTML content. A remote attacker can lure a user into opening a malicious page, which can corrupt memory and lead to arbitrary code execution in the browser context. The issue affects Chrome versions before 147.0.7727.55.

Why Planned Fix?

5/6
No authentication required
Mixed internet / internal deployment
User interaction unknown (assumed none)
Exploitable in default configuration
No active exploitation or PoC
High impact vulnerability

Exploitation Details

Type
RCE (Remote Code Execution)
Is exploitable with default configuration?
Yes
Is authentication needed?
No
PoC / Exploit
No
Impact

Execute arbitrary code in Chrome via crafted HTML content.

RCE (Remote Code Execution)
Exploitation Requirements
  • Vulnerable Chrome version
  • victim opens attacker-controlled HTML page
Exploitation Process

A victim opens attacker-controlled HTML in a vulnerable Chrome version. The page exercises the WebML code path with crafted input that triggers a heap overflow. If the overflow is successfully weaponized, the attacker can execute code in the browser context or sandbox.

Detection Resources
Manual Detection
0
Script Detection
0
Scanner Detection
0

Affected Software

Vendor:Google
ProductAffected Versions
Google Chromeprior to 147.0.7727.55
Description

Google Chrome is a cross-platform web browser used to access websites, web apps, and HTML content.

Deployment:Mixed (internet/internal)
|
Protocol:HTTP/HTTPS
|
Ports:
Affected ComponentWebML handling of crafted HTML content in Chrome's rendering pipeline.

WebML handling of crafted HTML content in Chrome's rendering pipeline.

Enterprise UsageEstimated likelihood that this vendor/product is deployed in enterprise environments. AI-generated estimation based on market presence, product type and adoption signals — not exact data.
Very Low
Low
Medium
High
Very High
Vendor Size:Big
Remediation
Workaround
Avoid opening untrusted HTML pages in affected Chrome versions until the browser is updated.

Avoid opening untrusted HTML pages in affected Chrome versions until the browser is updated.

Patch

Not available

Update
Upgrade Google Chrome to 147.0.7727.55 on Linux or 147.0.7727.55/56 on Windows and Mac; the fix is included in the April 7, 2026 stable release.

Upgrade Google Chrome to 147.0.7727.55 on Linux or 147.0.7727.55/56 on Windows and Mac; the fix is included in the April 7, 2026 stable release.

chromereleases.googleblog.com
Threat Intelligence
EPSS data unavailable
CISAKEV
CISA KEV
Not Listed
Active Exploitation
No Evidence
Threat Actors

No known threat actors

Detection Rules

No detection rules available

NVD Data

Published: Loading...Modified: Loading...

Description Summary

Heap buffer overflow in WebML in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: Critical)

CVSS Base Score

CWE:CWE-122 Heap-based Buffer Overflow
||
Version From:
|
Version Upto:

Priority History

Planned FixLoading...

Initial analysis