{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-5279", "assignerOrgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28", "state": "PUBLISHED", "assignerShortName": "Chrome", "dateReserved": "2026-03-31T20:07:12.562Z", "datePublished": "2026-04-01T04:41:31.998Z", "dateUpdated": "2026-04-02T03:55:49.957Z"}, "containers": {"cna": {"affected": [{"vendor": "Google", "product": "Chrome", "versions": [{"version": "146.0.7680.178", "status": "affected", "lessThan": "146.0.7680.178", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "Object corruption in V8 in Google Chrome prior to 146.0.7680.178 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Object corruption"}]}], "providerMetadata": {"orgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28", "shortName": "Chrome", "dateUpdated": "2026-04-01T04:41:31.998Z"}, "references": [{"url": "https://chromereleases.googleblog.com/2026/03/stable-channel-update-for-desktop_31.html"}, {"url": "https://issues.chromium.org/issues/490642836"}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-120", "lang": "en", "description": "CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-01T00:00:00+00:00", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3", "id": "CVE-2026-5279"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-02T03:55:49.957Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-5279", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-01T13:38:37.093747Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-120", "description": "CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-01T13:40:57.473Z"}}], "cna": {"affected": [{"vendor": "Google", "product": "Chrome", "versions": [{"status": "affected", "version": "146.0.7680.178", "lessThan": "146.0.7680.178", "versionType": "custom"}]}], "references": [{"url": "https://chromereleases.googleblog.com/2026/03/stable-channel-update-for-desktop_31.html"}, {"url": "https://issues.chromium.org/issues/490642836"}], "descriptions": [{"lang": "en", "value": "Object corruption in V8 in Google Chrome prior to 146.0.7680.178 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Object corruption"}]}], "providerMetadata": {"orgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28", "shortName": "Chrome", "dateUpdated": "2026-04-01T04:41:31.998Z"}}}, "cveMetadata": {"cveId": "CVE-2026-5279", "state": "PUBLISHED", "dateUpdated": "2026-04-02T03:55:49.957Z", "dateReserved": "2026-03-31T20:07:12.562Z", "assignerOrgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28", "datePublished": "2026-04-01T04:41:31.998Z", "assignerShortName": "Chrome"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*", "matchCriteriaId": "55B0324F-7911-403B-8235-D71996B55DFB", "versionEndExcluding": "146.0.7680.177", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*", "matchCriteriaId": "387021A0-AF36-463C-A605-32EA7DAC172E", "vulnerable": false}, {"criteria": "cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*", "matchCriteriaId": "703AF700-7A70-47E2-BC3A-7FD03B3CA9C1", "vulnerable": false}, {"criteria": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*", "matchCriteriaId": "A2572D17-1DE6-457B-99CC-64AFD54487EA", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Object corruption in V8 in Google Chrome prior to 146.0.7680.178 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)"}], "id": "CVE-2026-5279", "lastModified": "2026-04-02T00:16:24.443", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-01T05:16:01.200", "references": [{"source": "chrome-cve-admin@google.com", "tags": ["Vendor Advisory"], "url": "https://chromereleases.googleblog.com/2026/03/stable-channel-update-for-desktop_31.html"}, {"source": "chrome-cve-admin@google.com", "tags": ["Issue Tracking", "Permissions Required"], "url": "https://issues.chromium.org/issues/490642836"}], "sourceIdentifier": "chrome-cve-admin@google.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-120"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"bugzilla": {"description": "chromium-browser: Object corruption in V8", "id": "2453697", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2453697"}, "csaw": false, "cvss3": {"cvss3_base_score": "9.6", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-843", "details": ["An object corruption flaw was found in the V8 component of the Chromium browser.\nUpstream bug(s):\nhttps://code.google.com/p/chromium/issues/detail?id=490642836"], "name": "CVE-2026-5279", "public_date": "2026-03-31T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-5279\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-5279\nhttps://chromereleases.googleblog.com/2026/03/stable-channel-update-for-desktop_31.html\nhttps://issues.chromium.org/issues/490642836"], "statement": "Red Hat Product Security rates the severity of this flaw as determined by the Google Chrome Security Advisory.", "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[146.0.7680.178,146.0.7680.178)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Chrome", "source": "cna", "vendor": "Google"}, "product": "chrome", "vendor": "google"}], "analysis": {"en": {"generated_at": "2026-04-02T02:31:11.248064+00:00", "value": {"mitigation_remediation": ["Update Google Chrome to version 146.0.7680.178 or newer"], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The vulnerability affects all desktop editions of Google Chrome released before version 146.0.7680.178 on every major operating system, including macOS, Linux, and Windows, as indicated by the referenced Common Platform Enumeration strings. Users whose browsers remain on these legacy versions are at risk regardless of platform.", "description_and_impact": "A defect in the V8 JavaScript engine of Google Chrome caused object corruption that lets an attacker run arbitrary code inside the browser process sandbox. The bug is categorized under memory corruption and type confusion weaknesses, which can lead to code execution on the client machine. Although the attacker gains code execution only within the sandboxed environment, any successful exploit could provide a foothold that may be leveraged for further attacks if the sandbox is subsequently broken or used to execute additional malicious payloads. This bifurcation of memory safety violations is most consistent with the listed weaknesses of CWE\u2011120 and CWE\u2011843.", "risk_and_exploitability": "The flaw carries an overall CVSS score of 8.8, classifying it as high severity, yet its EPSS score is below 1\u202f%, indicating a very low probability of being actively exploited in the wild at present. It is not listed in the CISA KEV catalog. The exploitation path requires a remote attacker to serve a crafted HTML page that a victim\u2019s Chrome will render, which is a straightforward attack vector for malicious sites or phishing campaigns. No additional discovery or privileged access is needed once the user opens the page, making the vulnerability readily exploitable in typical web browsing scenarios."}}}}, "created": "2026-04-02T07:50:10.455297+00:00", "updated": "2026-04-02T20:18:22.864522+00:00", "vendors": ["google", "google$PRODUCT$chrome"]}