{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-0902", "assignerOrgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28", "state": "PUBLISHED", "assignerShortName": "Chrome", "dateReserved": "2026-01-13T18:20:16.726Z", "datePublished": "2026-01-20T04:14:15.404Z", "dateUpdated": "2026-01-20T15:29:39.657Z"}, "containers": {"cna": {"affected": [{"vendor": "Google", "product": "Chrome", "versions": [{"version": "144.0.7559.59", "status": "affected", "lessThan": "144.0.7559.59", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "Inappropriate implementation in V8 in Google Chrome prior to 144.0.7559.59 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. (Chromium security severity: Medium)"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Inappropriate implementation"}]}], "providerMetadata": {"orgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28", "shortName": "Chrome", "dateUpdated": "2026-01-20T04:14:15.404Z"}, "references": [{"url": "https://chromereleases.googleblog.com/2026/01/stable-channel-update-for-desktop_13.html"}, {"url": "https://issues.chromium.org/issues/469143679"}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-474", "lang": "en", "description": "CWE-474 Use of Function with Inconsistent Implementations"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-01-20T15:29:24.075129Z", "id": "CVE-2026-0902", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-20T15:29:39.657Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-0902", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-01-20T15:29:24.075129Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-474", "description": "CWE-474 Use of Function with Inconsistent Implementations"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-20T15:00:37.314Z"}}], "cna": {"affected": [{"vendor": "Google", "product": "Chrome", "versions": [{"status": "affected", "version": "144.0.7559.59", "lessThan": "144.0.7559.59", "versionType": "custom"}]}], "references": [{"url": "https://chromereleases.googleblog.com/2026/01/stable-channel-update-for-desktop_13.html"}, {"url": "https://issues.chromium.org/issues/469143679"}], "descriptions": [{"lang": "en", "value": "Inappropriate implementation in V8 in Google Chrome prior to 144.0.7559.59 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. (Chromium security severity: Medium)"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Inappropriate implementation"}]}], "providerMetadata": {"orgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28", "shortName": "Chrome", "dateUpdated": "2026-01-20T04:14:15.404Z"}}}, "cveMetadata": {"cveId": "CVE-2026-0902", "state": "PUBLISHED", "dateUpdated": "2026-01-20T15:29:39.657Z", "dateReserved": "2026-01-13T18:20:16.726Z", "assignerOrgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28", "datePublished": "2026-01-20T04:14:15.404Z", "assignerShortName": "Chrome"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*", "matchCriteriaId": "7322229C-61DF-4A91-9816-F7796F9AABCD", "versionEndExcluding": "144.0.7559.59", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*", "matchCriteriaId": "703AF700-7A70-47E2-BC3A-7FD03B3CA9C1", "vulnerable": false}, {"criteria": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*", "matchCriteriaId": "A2572D17-1DE6-457B-99CC-64AFD54487EA", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*", "matchCriteriaId": "258B923C-054B-4411-9E82-36C89A6BE4C4", "versionEndExcluding": "144.0.7559.60", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*", "matchCriteriaId": "387021A0-AF36-463C-A605-32EA7DAC172E", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Inappropriate implementation in V8 in Google Chrome prior to 144.0.7559.59 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. (Chromium security severity: Medium)"}], "id": "CVE-2026-0902", "lastModified": "2026-01-29T20:21:45.500", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-01-20T05:16:15.623", "references": [{"source": "chrome-cve-admin@google.com", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://chromereleases.googleblog.com/2026/01/stable-channel-update-for-desktop_13.html"}, {"source": "chrome-cve-admin@google.com", "tags": ["Issue Tracking", "Permissions Required"], "url": "https://issues.chromium.org/issues/469143679"}], "sourceIdentifier": "chrome-cve-admin@google.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-474"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"bugzilla": {"description": "chromium-browser: Inappropriate implementation in V8", "id": "2431126", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2431126"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "status": "draft"}, "details": ["No description is available for this CVE."], "name": "CVE-2026-0902", "public_date": "2026-01-13T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-0902\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-0902\nhttps://chromereleases.googleblog.com/2026/01/stable-channel-update-for-desktop_13.html\nhttps://issues.chromium.org/issues/469143679"], "statement": "Red Hat Product Security rates the severity of this flaw as determined by the Google Chrome Security Advisory.", "threat_severity": "Moderate"}

{"analysis": {"en": {"generated_at": "2026-04-18T04:50:44.629504+00:00", "value": {"mitigation_remediation": ["Upgrade Google Chrome to version 144.0.7559.59 or later, which contains the fix for the V8 implementation issue.", "Ensure Chrome\u2019s automatic update mechanism is enabled so that future patches are applied promptly.", "As a temporary measure, avoid visiting untrusted or suspicious web pages, and consider using web\u2011content filtering or sandboxing tools to mitigate the risk until the patch is deployed."], "summary": {"action": "Apply Patch", "impact": "Remote Information Disclosure"}, "threat_synthesis": {"affected_systems": "The vulnerability applies to Google Chrome versions prior to 144.0.7559.59 on all supported operating systems. The affected platforms include Windows, macOS, and Linux, as reflected by the CPEs for those operating systems. Any device running Chrome below the specified patch level is susceptible regardless of the underlying OS.", "description_and_impact": "The bug is an inappropriate implementation in the V8 JavaScript engine of Google Chrome. It allows a remote attacker to trigger an out\u2011of\u2011bounds memory read by serving a crafted HTML page. The attacker can read arbitrary data from the victim\u2019s process memory, potentially revealing sensitive information. This weakness is classified as CWE\u2011474 and is scored with a CVSS score of 8.8, indicating a high impact if exploited.", "risk_and_exploitability": "The CVSS rating highlights significant severity, but the EPSS score of less than 1\u202f% suggests that exploitation attempts are currently rare and unlikely to be prominent in the wild. The vulnerability has not yet been listed in the CISA Known Exploited Vulnerabilities catalog. Exploitation requires a user to open a maliciously crafted web page, implying a client\u2011side, user\u2011interaction attack vector. Because the flaw permits only memory reading, it does not provide command execution or full process takeover."}}}}, "created": "2026-01-20T08:39:54.123890+00:00", "updated": "2026-04-18T05:00:06.028582+00:00", "vendors": ["google", "google$PRODUCT$chrome"]}