Description
Insufficient policy enforcement in WebUSB in Google Chrome prior to 146.0.7680.178 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: High)
Published: 2026-04-01
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information disclosure
Action: Immediate Patch
AI Analysis

Impact

An attacker can trick a user into visiting a malicious web page that exploits a weakness in Chrome’s WebUSB policy enforcement. The crafted page can read sensitive data from the browser’s process memory, giving the attacker confidential information. The vulnerability maps to weaknesses in policy enforcement and protection mechanisms, and the risk is centered on confidentiality loss.

Affected Systems

Google Chrome versions before 146.0.7680.178 on all major operating systems (Windows, macOS, Linux). Users running these pre‑patched releases are at risk.

Risk and Exploitability

The CVSS score of 6.5 indicates a moderate to high severity. The EPSS score is below 1%, suggesting low current exploitation probability, and the issue is not listed in the CISA KEV catalog. Exploitation requires a user to open a crafted web page that requests WebUSB access, after which the attacker can read memory. Because it is a remote flaw accessed through a web interface, user awareness and timely updates are critical.

Generated by OpenCVE AI on April 2, 2026 at 04:45 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Google Chrome to 146.0.7680.178 or later.
  • If an update is unavailable, disable WebUSB through Chrome policies or the chrome://flags settings.
  • Refrain from connecting untrusted USB devices to the system until a fix is applied.

Generated by OpenCVE AI on April 2, 2026 at 04:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6192-1 chromium security update
History

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Title chromium-browser: Insufficient policy enforcement in WebUSB
First Time appeared Apple
Apple macos
Google
Google chrome
Linux
Linux linux Kernel
Microsoft
Microsoft windows
Weaknesses CWE-280
CWE-693
CPEs cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Apple
Apple macos
Google
Google chrome
Linux
Linux linux Kernel
Microsoft
Microsoft windows
References
Metrics threat_severity

None

 cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

threat_severity

Important

Wed, 01 Apr 2026 05:00:00 +0000

Type Values Removed Values Added
Description Insufficient policy enforcement in WebUSB in Google Chrome prior to 146.0.7680.178 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: High)
References

Subscriptions

Apple Macos
Google Chrome
Linux Linux Kernel
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-04-01T13:33:18.780Z

Reserved: 2026-03-31T20:07:11.738Z

Link: CVE-2026-5276

cve-icon Vulnrichment

Updated: 2026-04-01T13:33:13.875Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-01T05:16:00.830

Modified: 2026-04-01T16:40:07.200

Link: CVE-2026-5276

cve-icon Redhat

Severity : Important

Publid Date: 2026-03-31T00:00:00Z

Links: CVE-2026-5276 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T20:18:25Z

Weaknesses