PatchSiren cyber security CVE debrief
CVE-2026-5860 Google CVE debrief
CVE-2026-5860 is a use-after-free vulnerability in WebRTC within Google Chrome versions prior to 147.0.7727.55. The flaw allows a remote attacker to execute arbitrary code inside Chrome's sandbox by enticing a user to visit a crafted HTML page. Google has assigned this a High severity rating. The vulnerability was disclosed on April 8, 2026, with the NVD record subsequently modified on May 26, 2026. No known exploitation in ransomware campaigns has been reported, and the vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog.
- Vendor
- Product
- Chrome
- CVSS
- HIGH 8.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-04-08
- Original CVE updated
- 2026-05-26
- Advisory published
- 2026-04-08
- Advisory updated
- 2026-05-26
Who should care
Organizations relying on Google Chrome for business operations, security teams managing browser security postures, and users handling sensitive information through web browsers should prioritize patching. The High severity rating and potential for remote code execution make this a critical update for enterprise environments with large Chrome deployments.
Technical summary
This vulnerability exists in the WebRTC implementation of Google Chrome. A use-after-free condition can be triggered when processing maliciously crafted HTML content, leading to memory corruption. Successful exploitation allows an attacker to execute arbitrary code within the constraints of Chrome's sandbox environment. The attack vector requires user interaction (visiting a malicious page) and has network accessibility. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) indicates high impacts to confidentiality, integrity, and availability with low attack complexity.
Defensive priority
high
Recommended defensive actions
- Upgrade Google Chrome to version 147.0.7727.55 or later to remediate this vulnerability
- Review and apply the stable channel update referenced in the Chrome Release Notes
- Consider implementing application control policies to restrict browser execution if patching is delayed
- Monitor for anomalous WebRTC traffic patterns that may indicate exploitation attempts
- Ensure endpoint detection and response (EDR) solutions are configured to detect use-after-free exploitation behaviors
Evidence notes
The vulnerability description and affected product information are sourced from the official NVD record and Chrome Release Notes. The vendor field indicates Apple with medium confidence based on NVD CPE data; however, the primary affected product is Google Chrome per the CVE description and CPE criteria. The CPE configuration shows Chrome versions prior to 147.0.7727.55 as vulnerable, with macOS, Linux, and Windows listed as non-vulnerable operating system platforms.
Official resources
-
CVE-2026-5860 CVE record
CVE.org
-
CVE-2026-5860 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Release Notes, Vendor Advisory
-
Source reference
[email protected] - Permissions Required
2026-04-08