CVE-2026-5872 Overview
CVE-2026-5872 is a use-after-free vulnerability in the Blink rendering engine of Google Chrome versions prior to 147.0.7727.55. A remote attacker can trigger memory corruption by serving a crafted HTML page, leading to arbitrary code execution within the Chrome sandbox. The flaw is classified under CWE-416: Use After Free and affects Chrome on Windows, macOS, and Linux. Exploitation requires user interaction, typically by enticing a victim to visit a malicious webpage. Google rated the issue High severity and addressed it in the Stable channel update for desktop.
Critical Impact
Successful exploitation allows remote arbitrary code execution inside the Chrome renderer sandbox, providing attackers a foothold for further sandbox escape chains.
Affected Products
- Google Chrome versions prior to 147.0.7727.55
- Chrome desktop on Microsoft Windows
- Chrome desktop on Apple macOS and Linux
Discovery Timeline
- 2026-04-08 - CVE-2026-5872 published to the National Vulnerability Database
- 2026-04-13 - Last updated in NVD database
Technical Details for CVE-2026-5872
Vulnerability Analysis
The vulnerability resides in Blink, the open-source rendering engine that processes HTML, CSS, and DOM operations within Chrome. A use-after-free condition occurs when Blink continues to reference an object in memory after that object has been freed. An attacker can shape heap state to place attacker-controlled data into the freed memory region.
When Blink later dereferences the dangling pointer, the engine operates on attacker-controlled content. This primitive enables hijacking control flow within the renderer process. The attacker gains arbitrary code execution constrained to the renderer sandbox, which is a strong starting point for chained sandbox escapes.
The Chromium tracking entry for this issue is Chromium Issue 496281816.
Root Cause
The defect stems from improper object lifetime management within Blink. A reference to a DOM-related object persists after the object is deallocated, leaving a dangling pointer. Blink subsequently uses the stale pointer during rendering or script execution, breaking the memory safety guarantees the engine depends on.
Attack Vector
Exploitation is remote and requires user interaction. The attacker hosts a crafted HTML page or injects malicious markup into a compromised site. When the victim loads the page, JavaScript and DOM manipulation trigger the free of an object that Blink continues to access. The attacker uses heap grooming to control the contents of the reused allocation, achieving code execution in the renderer process.
No verified public proof-of-concept code is available for this vulnerability. Refer to the Google Chrome release notes for vendor details.
Detection Methods for CVE-2026-5872
Indicators of Compromise
- Chrome renderer process crashes with signatures consistent with heap corruption following navigation to an untrusted page.
- Unexpected child processes spawned by chrome.exe or the renderer helper after browsing activity.
- Outbound connections from Chrome processes to newly registered or low-reputation domains hosting HTML payloads.
Detection Strategies
- Inventory Chrome installations across the fleet and flag any version below 147.0.7727.55 as vulnerable.
- Monitor endpoint telemetry for renderer crashes correlated with web navigation, which can indicate exploitation attempts.
- Hunt for browser-spawned process anomalies such as shell or scripting interpreter execution descending from Chrome.
Monitoring Recommendations
- Forward Chrome crash dumps and process creation events to a centralized logging platform for retrospective analysis.
- Track web proxy logs for repeated visits to suspicious domains immediately preceding browser instability.
- Apply MITRE ATT&CK technique mappings for T1189 (Drive-by Compromise) and T1203 (Exploitation for Client Execution) to identification rules.
How to Mitigate CVE-2026-5872
Immediate Actions Required
- Update Google Chrome to version 147.0.7727.55 or later on all Windows, macOS, and Linux endpoints.
- Restart Chrome after the update so the patched binaries are loaded into all running browser sessions.
- Validate enterprise update channels and group policies to confirm clients are receiving the Stable channel build.
Patch Information
Google released the fix in the Stable channel update for desktop, version 147.0.7727.55. Full vendor details are available in the Stable Channel Update for Desktop. Chromium-based browsers that share the Blink engine should be updated when their vendors publish corresponding releases.
Workarounds
- Restrict browsing to trusted sites using web filtering and DNS reputation controls until patching is complete.
- Disable JavaScript on untrusted origins through enterprise Chrome policies to limit DOM manipulation primitives.
- Enforce site isolation and the Chrome sandbox, ensuring no enterprise policy weakens default sandboxing protections.
# Verify the installed Chrome version on Linux
google-chrome --version
# Windows: query the installed version via registry
reg query "HKLM\Software\Google\Update\Clients\{8A69D345-D564-463C-AFF1-A69D9E530F96}" /v pv
# macOS: check the bundled version
defaults read /Applications/Google\ Chrome.app/Contents/Info CFBundleShortVersionString
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
