PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-5273 Google CVE debrief

A use-after-free vulnerability in the CSS processing component of Google Chrome, assigned CVE-2026-5273, was disclosed on 2026-04-01 and last modified on 2026-06-01. The flaw affects Chrome versions prior to 146.0.7680.178 and carries a Chromium security severity rating of High, with a CVSS 3.1 base score of 6.3 (MEDIUM). The vulnerability stems from improper memory management during CSS operations (CWE-416), enabling a remote attacker to execute arbitrary code within the browser sandbox by enticing a user to visit a crafted HTML page. The attack requires no privileges and minimal user interaction (rendering a malicious page), with network-based attack vector and low attack complexity. Despite the vendor field in the source data listing Apple with medium confidence, the CPE criteria and advisory sources clearly identify Google Chrome as the affected product; the Apple macOS CPE entry is marked as non-vulnerable and appears to represent a platform mapping rather than product attribution. No known exploitation in ransomware campaigns has been documented, and this CVE is not listed in CISA's Known Exploited Vulnerabilities catalog.

Vendor
Google
Product
Chrome
CVSS
MEDIUM 6.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-04-01
Original CVE updated
2026-06-01
Advisory published
2026-04-01
Advisory updated
2026-06-01

Who should care

Organizations with Google Chrome deployments, security teams managing browser patch cycles, and users handling untrusted web content.

Technical summary

The vulnerability exists in Chrome's CSS engine where a use-after-free condition can be triggered through malicious HTML content. When exploited, arbitrary code execution occurs within the renderer sandbox, limiting immediate system compromise but potentially enabling further sandbox escape chains. The fix was released in Chrome stable channel version 146.0.7680.178.

Defensive priority

high

Recommended defensive actions

  • Upgrade Google Chrome to version 146.0.7680.178 or later as provided in the stable channel update.
  • For managed enterprise environments, validate patch deployment through standard software update channels and verify installation via chrome://version/.
  • Restrict or monitor execution of untrusted HTML content and web pages, particularly from unverified sources, until patching is complete.
  • Review browser sandbox configurations and ensure they remain enabled, as the vulnerability executes within the sandbox context.
  • Monitor for anomalous browser crashes or unexpected renderer process terminations that may indicate exploitation attempts against unpatched systems.

Evidence notes

The CVE description and CPE criteria identify Google Chrome as the affected product. The vendor field showing 'Apple' with medium confidence appears to derive from a non-vulnerable platform CPE (macOS) and conflicts with the primary product attribution. The CVSS vector AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L supports the 6.3 score. CWE-416 (Use After Free) is confirmed by the weakness data.

Official resources

2026-04-01