{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-5868", "assignerOrgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28", "state": "PUBLISHED", "assignerShortName": "Chrome", "dateReserved": "2026-04-08T19:34:34.006Z", "datePublished": "2026-04-08T21:20:43.524Z", "dateUpdated": "2026-04-08T21:20:43.524Z"}, "containers": {"cna": {"affected": [{"vendor": "Google", "product": "Chrome", "versions": [{"version": "147.0.7727.55", "status": "affected", "lessThan": "147.0.7727.55", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "Heap buffer overflow in ANGLE in Google Chrome on Mac prior to 147.0.7727.55 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Heap buffer overflow", "cweId": "CWE-122"}]}], "providerMetadata": {"orgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28", "shortName": "Chrome", "dateUpdated": "2026-04-08T21:20:43.524Z"}, "references": [{"url": "https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop.html"}, {"url": "https://issues.chromium.org/issues/493256564"}]}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Heap buffer overflow in ANGLE in Google Chrome on Mac prior to 147.0.7727.55 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)"}], "id": "CVE-2026-5868", "lastModified": "2026-04-08T22:16:26.360", "metrics": {}, "published": "2026-04-08T22:16:26.360", "references": [{"source": "chrome-cve-admin@google.com", "url": "https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop.html"}, {"source": "chrome-cve-admin@google.com", "url": "https://issues.chromium.org/issues/493256564"}], "sourceIdentifier": "chrome-cve-admin@google.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-122"}], "source": "chrome-cve-admin@google.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[147.0.7727.55,147.0.7727.55)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Chrome", "source": "cna", "vendor": "Google"}, "product": "chrome", "vendor": "google"}], "analysis": {"en": {"generated_at": "2026-04-08T22:48:40.013959+00:00", "value": {"mitigation_remediation": ["Update Chrome to version 147.0.7727.55 or later", "Verify that automatic updates are enabled to receive future patches promptly"], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The impact is confined to users of Google Chrome on macOS versions preceding 147.0.7727.55. Earlier builds of the stable channel are vulnerable; the issue is not present in newer releases that incorporate the fix.", "description_and_impact": "A heap buffer overflow exists in the ANGLE graphics stack of Google Chrome on macOS. The flaw can be triggered by a specially crafted HTML page, allowing an attacker to run arbitrary code inside the browser\u2019s sandboxed environment. This vulnerability corresponds to a classic buffer overflow (CWE\u2011122) and has a high severity rating according to Chromium\u2019s internal assessment.", "risk_and_exploitability": "Because the flaw can be triggered by loading a malicious web page, the potential attack vector is remote and does not require local user interaction beyond visiting the site. The CVSS score is not supplied, but the high severity checklist and lack of mitigation steps in the public advisory suggest a serious risk. The EPSS score is unavailable and the vulnerability is not listed in CISA\u2019s KEV catalog, so it is unknown whether active exploitation is occurring."}}}}, "created": "2026-04-09T08:17:34.618145+00:00", "title": "Heap Buffer Overflow in Chrome ANGLE Leading to Remote Code Execution", "updated": "2026-04-09T08:26:58.100920+00:00", "vendors": ["google", "google$PRODUCT$chrome"]}