CVE-2026-5904 Overview
CVE-2026-5904 is a use-after-free vulnerability [CWE-416] in the V8 JavaScript engine of Google Chrome prior to version 147.0.7727.55. An attacker who convinces a user to install a malicious Chrome extension can trigger heap corruption through a crafted extension payload. Successful exploitation can lead to arbitrary code execution within the renderer process and potential sandbox-relevant follow-on activity.
The flaw affects Chrome installations on Windows, macOS, and Linux. Google addressed the issue in the Stable channel update for desktop. While Chromium rates the underlying bug as Low severity, the NVD assigns a High rating due to the impact profile when exploitation succeeds.
Critical Impact
Heap corruption in V8 can be leveraged for arbitrary code execution in the renderer process via a malicious Chrome extension, compromising browser-managed data and session integrity.
Affected Products
- Google Chrome prior to 147.0.7727.55 on Microsoft Windows
- Google Chrome prior to 147.0.7727.55 on Apple macOS
- Google Chrome prior to 147.0.7727.55 on Linux
Discovery Timeline
- 2026-04-08 - CVE-2026-5904 published to NVD
- 2026-04-13 - Last updated in NVD database
Technical Details for CVE-2026-5904
Vulnerability Analysis
The vulnerability resides in V8, the JavaScript and WebAssembly engine that powers Chrome. V8 manages JavaScript object lifetimes through a generational garbage collector. A use-after-free occurs when code continues to reference a memory region after that region has been freed or relocated by the collector.
A crafted Chrome extension can manipulate V8 internals to retain a stale pointer to a freed object. Subsequent operations on that pointer dereference attacker-controllable memory contents. This produces heap corruption that an attacker can shape into a primitive for arbitrary read, arbitrary write, or control-flow hijack within the renderer.
Exploitation requires user interaction, specifically the installation of a malicious extension. Once installed, the extension executes with the privileges of its declared manifest permissions and can interact with V8 via JavaScript APIs exposed to extensions.
Root Cause
The root cause is improper object lifetime management in V8 [CWE-416]. Code paths reachable from extension-supplied JavaScript fail to invalidate or update references after the corresponding heap object is released, leaving dangling pointers that can be dereferenced.
Attack Vector
The attack is delivered through a malicious Chrome extension. An adversary must convince the target to install the extension, typically through social engineering, typosquatted listings, or compromised developer accounts. Once installed, the extension issues crafted JavaScript that triggers the use-after-free in V8 without requiring further user action.
No verified public proof-of-concept is available. The vulnerability is described in prose in the Chromium issue tracker and the Chrome Releases advisory. See the Chromium Issue Tracker Entry for technical references.
Detection Methods for CVE-2026-5904
Indicators of Compromise
- Installation of Chrome extensions from sources outside the official Chrome Web Store or from unverified publishers.
- Chrome renderer process crashes with signatures consistent with heap corruption in v8.dll, libv8, or the Chrome framework binary.
- Unexpected child processes spawned by chrome.exe shortly after extension load.
- Outbound network connections initiated by the Chrome process to attacker-controlled domains following extension installation.
Detection Strategies
- Inventory installed Chrome extensions across endpoints and compare against an approved allowlist.
- Monitor for Chrome version strings below 147.0.7727.55 in endpoint telemetry and asset management data.
- Correlate Chrome crash reports with extension install or update events occurring in the preceding session.
Monitoring Recommendations
- Enable Chrome Enterprise reporting to capture extension install, update, and policy events.
- Forward browser telemetry to a centralized data lake for retrospective hunting on extension IDs and update URLs.
- Alert on processes loading unsigned or newly observed extension manifests in user profile directories.
How to Mitigate CVE-2026-5904
Immediate Actions Required
- Update Google Chrome to version 147.0.7727.55 or later on Windows, macOS, and Linux endpoints.
- Verify automatic updates are enabled and that the browser has restarted to apply the patched binaries.
- Audit installed extensions and remove any that are unapproved, unmaintained, or from untrusted publishers.
Patch Information
Google released the fix in the Stable channel update for desktop. Refer to the Chrome Releases advisory for the full set of fixes shipped in Chrome 147.0.7727.55. Administrators should confirm that managed fleets have rolled forward past this version.
Workarounds
- Deploy Chrome enterprise policies such as ExtensionInstallAllowlist and ExtensionInstallBlocklist to restrict installation to vetted extensions.
- Set ExtensionInstallSources to limit where extensions may be installed from and disable developer mode for non-developer users.
- Train users to reject unsolicited extension install prompts and to install only from the official Chrome Web Store.
# Configuration example: Chrome enterprise policy to restrict extensions (Windows registry)
reg add "HKLM\Software\Policies\Google\Chrome\ExtensionInstallBlocklist" /v 1 /t REG_SZ /d "*" /f
reg add "HKLM\Software\Policies\Google\Chrome\ExtensionInstallAllowlist" /v 1 /t REG_SZ /d "<approved-extension-id>" /f
reg add "HKLM\Software\Policies\Google\Chrome" /v DeveloperToolsAvailability /t REG_DWORD /d 2 /f
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
