{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-5890", "assignerOrgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28", "state": "PUBLISHED", "assignerShortName": "Chrome", "dateReserved": "2026-04-08T19:34:40.168Z", "datePublished": "2026-04-08T21:20:53.327Z", "dateUpdated": "2026-04-09T20:12:08.390Z"}, "containers": {"cna": {"affected": [{"vendor": "Google", "product": "Chrome", "versions": [{"version": "147.0.7727.55", "status": "affected", "lessThan": "147.0.7727.55", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "Race in WebCodecs in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium)"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Race", "cweId": "CWE-362"}]}], "providerMetadata": {"orgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28", "shortName": "Chrome", "dateUpdated": "2026-04-08T21:20:53.327Z"}, "references": [{"url": "https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop.html"}, {"url": "https://issues.chromium.org/issues/487259772"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-09T18:35:55.934601Z", "id": "CVE-2026-5890", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-09T20:12:08.390Z"}}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*", "matchCriteriaId": "9A68673A-1331-48AF-8860-53064F0AF310", "versionEndExcluding": "147.0.7727.55", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*", "matchCriteriaId": "387021A0-AF36-463C-A605-32EA7DAC172E", "vulnerable": false}, {"criteria": "cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*", "matchCriteriaId": "703AF700-7A70-47E2-BC3A-7FD03B3CA9C1", "vulnerable": false}, {"criteria": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*", "matchCriteriaId": "A2572D17-1DE6-457B-99CC-64AFD54487EA", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Race in WebCodecs in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium)"}], "id": "CVE-2026-5890", "lastModified": "2026-04-16T16:35:55.980", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-04-08T22:16:28.873", "references": [{"source": "chrome-cve-admin@google.com", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop.html"}, {"source": "chrome-cve-admin@google.com", "tags": ["Issue Tracking", "Permissions Required"], "url": "https://issues.chromium.org/issues/487259772"}], "sourceIdentifier": "chrome-cve-admin@google.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-362"}], "source": "chrome-cve-admin@google.com", "type": "Primary"}]}

{"bugzilla": {"description": "chromium-browser: Race in WebCodecs", "id": "2456770", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2456770"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "status": "draft"}, "cwe": "CWE-368", "details": ["A race flaw was found in the WebCodecs component of the Chromium browser.\nUpstream bug(s):\nhttps://code.google.com/p/chromium/issues/detail?id=487259772"], "name": "CVE-2026-5890", "public_date": "2026-04-07T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-5890\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-5890\nhttps://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop.html\nhttps://issues.chromium.org/issues/487259772"], "statement": "Red Hat Product Security rates the severity of this flaw as determined by the Google Chrome Security Advisory.", "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[147.0.7727.55,147.0.7727.55)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Chrome", "source": "cna", "vendor": "Google"}, "product": "chrome", "vendor": "google"}], "analysis": {"en": {"generated_at": "2026-04-17T09:51:30.414325+00:00", "value": {"mitigation_remediation": ["Upgrade Google Chrome to version 147.0.7727.55 or later.", "If an immediate upgrade is not feasible, start Chrome with the flag `--disable-features=WebCodecs` to prevent usage of the vulnerable API.", "Review all installed Chrome extensions; remove or update those that rely on WebCodecs until the browser is patched."], "summary": {"action": "Patch Now", "impact": "Memory Disclosure"}, "threat_synthesis": {"affected_systems": "All users of Google Chrome that run versions prior to 147.0.7727.55 are affected. The vulnerability is specific to the Chrome product from Google, and it does not extend to other browsers or products.", "description_and_impact": "A race condition exists in Chrome\u2019s WebCodecs implementation that permits a remote attacker to read data from the browser\u2019s process memory. An attacker can craft a malicious HTML page that exploits the timing flaw, allowing access to potentially sensitive information. This vulnerability falls under multiple concurrency weaknesses, as identified by CWE-362 and CWE-368, and is rated Medium in severity by Chromium\u2019s own risk assessment.", "risk_and_exploitability": "The CVSS base score of 5.3 places the flaw in the Medium severity range, and the EPSS score is below 1%, indicating a lower overall likelihood of exploitation. The vulnerability remains absent from the CISA KEV catalog. Exploitation requires a remote attacker to persuade a user to load a carefully crafted webpage, which can be achieved via phishing or malicious content hosting. An exploitation would allow the attacker to read privilege\u2011escalated memory contents, potentially leaking user secrets, browser tokens, or other confidential data."}}}}, "created": "2026-04-09T08:17:02.429141+00:00", "updated": "2026-04-17T10:00:03.567581+00:00", "vendors": ["google", "google$PRODUCT$chrome"]}