CVE-2026-5911 Apple CVE debrief

Who should care

Security teams managing Chrome deployments, endpoint and browser administrators, and application owners who depend on Content Security Policy enforcement. Users and organizations running Chrome versions earlier than 147.0.7727.55 should prioritize remediation, especially where untrusted web content is regularly opened.

Technical summary

The record describes a policy-bypass weakness in Chrome ServiceWorkers that can be triggered remotely through a crafted HTML page. The effect is CSP bypass rather than full code execution, which aligns with the supplied CVSS vector (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N) and the CWE-693 mapping in NVD. The vulnerable product scope in the source corpus is Google Chrome versions before 147.0.7727.55.

Defensive priority

Medium

Recommended defensive actions

• Update Google Chrome to version 147.0.7727.55 or later.
• Verify that browser auto-update is functioning across managed and unmanaged endpoints.
• Accelerate deployment through enterprise browser management or patching workflows where Chrome is centrally managed.
• Review web applications that depend on CSP and validate behavior with the fixed Chrome version.
• Track the linked Chrome release notes and NVD record for any follow-up changes or clarifications.

Evidence notes

Based only on the supplied official sources: the NVD record for CVE-2026-5911, the linked Chrome release notes, and the Chromium issue reference. The source corpus identifies Google Chrome versions prior to 147.0.7727.55 as vulnerable and describes the impact as a CSP bypass via a crafted HTML page. NVD shows publication on 2026-04-08 and a modified record on 2026-05-10. Note: the provided vendor metadata field says Apple, but the vulnerability evidence in the record is for Google Chrome; this debrief follows the source references and CPE criteria.

Official resources