Summary
Google Chrome's WebML component contains a heap-based buffer overflow triggered by crafted HTML content. A remote attacker can lure a user into opening a malicious page, which can corrupt memory and lead to arbitrary code execution in the browser context. The issue affects Chrome versions before 147.0.7727.55.
Why Planned Fix?
5/6Exploitation Details
Execute arbitrary code in Chrome via crafted HTML content.
RCE (Remote Code Execution)Affected Software
| Product | Affected Versions |
|---|---|
| Google Chrome | prior to 147.0.7727.55 |
Google Chrome is a cross-platform web browser used to access websites, web apps, and HTML content.
Affected ComponentWebML handling of crafted HTML content in Chrome's rendering pipeline.
WebML handling of crafted HTML content in Chrome's rendering pipeline.
Avoid opening untrusted HTML pages in affected Chrome versions until the browser is updated.
Avoid opening untrusted HTML pages in affected Chrome versions until the browser is updated.
Not available
Upgrade Google Chrome to 147.0.7727.55 on Linux or 147.0.7727.55/56 on Windows and Mac; the fix is included in the April 7, 2026 stable release.
Upgrade Google Chrome to 147.0.7727.55 on Linux or 147.0.7727.55/56 on Windows and Mac; the fix is included in the April 7, 2026 stable release.
No known threat actors
No detection rules available
NVD Data
Description Summary
CVSS Base Score
Sources
| Source | Article |
|---|---|
| chromereleases.googleblog.com | Stable Channel Update for Desktop |
| issues.chromium.org | Chromium Issue 493319454 |
| cvefeed.io | CVE-2026-5858 - Google Chrome Heap Buffer Overflow Vulnerability |
Priority History
Initial analysis