CVE-2026-5867 Google CVE debrief

Who should care

Organizations with Chrome deployments, particularly those with users who may visit untrusted web content; security teams monitoring browser-based attack vectors; developers building web applications that utilize WebML APIs

Technical summary

The vulnerability exists in Chrome's WebML implementation, where improper bounds checking on heap-allocated buffers could allow out-of-bounds memory reads. A remote attacker could craft a malicious HTML page that, when loaded by a victim, triggers the overflow and leaks sensitive data from the browser process memory. The attack requires user interaction (visiting the malicious page) but no authentication or elevated privileges. The fix was released in Chrome 147.0.7727.55.

Defensive priority

medium

Recommended defensive actions

• Update Google Chrome to version 147.0.7727.55 or later to remediate this vulnerability
• Verify Chrome auto-update is enabled and functioning in enterprise environments
• Consider implementing site isolation policies to limit impact of renderer exploits
• Monitor for unusual memory access patterns or crashes in Chrome processes as potential indicators of exploitation attempts
• Review and restrict access to untrusted or suspicious websites, as user interaction is required for exploitation

Evidence notes

The CVE description and NVD metadata confirm this is a Chrome WebML heap buffer overflow patched in version 147.0.7727.55. The CVSS vector (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N) indicates network attack vector, low attack complexity, no privileges required, but user interaction required, with low confidentiality impact. The vendor field shows 'Apple' with medium confidence from NVD CPE data, though this appears to be a data quality artifact—the CPE criteria clearly identify Google Chrome as the vulnerable product. The vulnerability is not marked as KEV and has no known ransomware use.

Official resources