{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-5907", "assignerOrgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28", "state": "PUBLISHED", "assignerShortName": "Chrome", "dateReserved": "2026-04-08T19:34:44.654Z", "datePublished": "2026-04-08T21:21:03.423Z", "dateUpdated": "2026-04-08T21:21:03.423Z"}, "containers": {"cna": {"affected": [{"vendor": "Google", "product": "Chrome", "versions": [{"version": "147.0.7727.55", "status": "affected", "lessThan": "147.0.7727.55", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "Insufficient data validation in Media in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to perform an out of bounds memory read via a crafted video file. (Chromium security severity: Low)"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Insufficient data validation"}]}], "providerMetadata": {"orgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28", "shortName": "Chrome", "dateUpdated": "2026-04-08T21:21:03.423Z"}, "references": [{"url": "https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop.html"}, {"url": "https://issues.chromium.org/issues/484665123"}]}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Insufficient data validation in Media in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to perform an out of bounds memory read via a crafted video file. (Chromium security severity: Low)"}], "id": "CVE-2026-5907", "lastModified": "2026-04-08T22:16:30.580", "metrics": {}, "published": "2026-04-08T22:16:30.580", "references": [{"source": "chrome-cve-admin@google.com", "url": "https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop.html"}, {"source": "chrome-cve-admin@google.com", "url": "https://issues.chromium.org/issues/484665123"}], "sourceIdentifier": "chrome-cve-admin@google.com", "vulnStatus": "Received"}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[147.0.7727.55,147.0.7727.55)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Chrome", "source": "cna", "vendor": "Google"}, "product": "chrome", "vendor": "google"}], "analysis": {"en": {"generated_at": "2026-04-08T22:56:44.805342+00:00", "value": {"mitigation_remediation": ["Update Google Chrome to version 147.0.7727.55 or newer to eliminate the flaw"], "summary": {"action": "Patch Immediately", "impact": "Data Disclosure"}, "threat_synthesis": {"affected_systems": "Versions of Google Chrome earlier than 147.0.7727.55 on any supported platform are affected. The vulnerability is present in the Chrome browser\u2019s media component that decodes video files. The flaw applies to the stable channel until the referenced update is installed.", "description_and_impact": "Google Chrome contained a flaw in its media handling code where insufficient input validation allowed an attacker to craft a malicious video file that triggers an out\u2011of\u2011bounds memory read. The read occurs while processing the video, potentially exposing arbitrary data residing in Chrome\u2019s process memory. The defect is characterized as a low\u2011severity vulnerability, implying that exploitation is not straightforward but still may reveal sensitive information to the attacker.", "risk_and_exploitability": "The CVSS severity is low and the exploitation probability is unknown due to the lack of EPSS data. The vulnerability is not listed in the CISA KEV catalog, suggesting no known active exploits. A likely attack path involves a remote attacker delivering a crafted video file to a user\u2019s browser, either via a malicious website or a tricked download. The read can be performed without additional privileges, providing potential for information disclosure. Given the limited impact level and no public exploit, the threat is moderate but should still be remediated promptly."}}}}, "created": "2026-04-09T08:16:45.720239+00:00", "title": "Out\u2011of\u2011Bounds Memory Read in Chrome Media Processing", "updated": "2026-04-09T08:26:11.831291+00:00", "vendors": ["google", "google$PRODUCT$chrome"], "weaknesses": ["CWE-125"]}