{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-5890", "assignerOrgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28", "state": "PUBLISHED", "assignerShortName": "Chrome", "dateReserved": "2026-04-08T19:34:40.168Z", "datePublished": "2026-04-08T21:20:53.327Z", "dateUpdated": "2026-04-08T21:20:53.327Z"}, "containers": {"cna": {"affected": [{"vendor": "Google", "product": "Chrome", "versions": [{"version": "147.0.7727.55", "status": "affected", "lessThan": "147.0.7727.55", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "Race in WebCodecs in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium)"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Race", "cweId": "CWE-362"}]}], "providerMetadata": {"orgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28", "shortName": "Chrome", "dateUpdated": "2026-04-08T21:20:53.327Z"}, "references": [{"url": "https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop.html"}, {"url": "https://issues.chromium.org/issues/487259772"}]}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Race in WebCodecs in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium)"}], "id": "CVE-2026-5890", "lastModified": "2026-04-08T22:16:28.873", "metrics": {}, "published": "2026-04-08T22:16:28.873", "references": [{"source": "chrome-cve-admin@google.com", "url": "https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop.html"}, {"source": "chrome-cve-admin@google.com", "url": "https://issues.chromium.org/issues/487259772"}], "sourceIdentifier": "chrome-cve-admin@google.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-362"}], "source": "chrome-cve-admin@google.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[147.0.7727.55,147.0.7727.55)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Chrome", "source": "cna", "vendor": "Google"}, "product": "chrome", "vendor": "google"}], "analysis": {"en": {"generated_at": "2026-04-08T22:41:02.183981+00:00", "value": {"mitigation_remediation": ["Update Google Chrome to version 147.0.7727.55 or later and enable automatic updates to ensure timely patch delivery.", "Avoid loading untrusted or suspicious web pages until the browser is updated.", "Monitor for any new advisories regarding this issue in the Chrome release blog or Chromium issue tracker."], "summary": {"action": "Immediate patch", "impact": "Sensitive information disclosure"}, "threat_synthesis": {"affected_systems": "Google Chrome browsers running any version prior to 147.0.7727.55 are vulnerable. The issue was identified in the Chrome stable channel and applies to the desktop build of the browser. Users with older releases should upgrade to the patched version.", "description_and_impact": "A race condition in the WebCodecs component of Google Chrome could allow a remote attacker to read fragments of process memory after a crafted HTML page is loaded. This flaw may expose sensitive information if the memory contains credentials, cryptographic keys, or other confidential data. The weakness corresponds to CWE\u2011362, which is a modification order or synchronization error. The vulnerability is listed as medium severity, indicating that while likely insufficient alone for full data exfiltration, it can facilitate other attacks or lead to partial information leaks.", "risk_and_exploitability": "The exploit requires the attacker to host a malicious web page that the victim visits. The attack can be carried out in a normal browsing session without special permissions. Because the flaw is a synchronization race, injection of crafted script or media data is sufficient. No exploit probability score is published and the vulnerability is not listed in the CISA KEV catalog, suggesting it is not actively weaponized. Nevertheless, the medium severity and the ability to obtain memory contents warrant prompt remediation. The primary risk is leakage of confidential data from the browser process."}}}}, "created": "2026-04-09T08:17:02.429141+00:00", "updated": "2026-04-09T08:26:28.472694+00:00", "vendors": ["google", "google$PRODUCT$chrome"]}