Description
Out of bounds read in WebCodecs in Google Chrome prior to 146.0.7680.178 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. (Chromium security severity: Medium)
Published: 2026-04-01
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Data Exposure
Action: Immediate Patch
AI Analysis

Impact

An out-of-bounds read exists in the WebCodecs component of Google Chrome, allowing a remote attacker to trigger memory reads beyond the intended buffer by delivering a specially crafted HTML page. The flaw, identified as CWE‑125, lets the attacker read arbitrary memory contents from the browser process, potentially exposing sensitive information. Google rates the security severity as medium, but the CVSS score of 8.8 indicates a high impact if successfully exploited.

Affected Systems

Google Chrome versions prior to 146.0.7680.178 are affected. The issue applies across all operating systems supported by Chrome—macOS, Linux, and Windows—because the vulnerability resides in the browser engine rather than the underlying OS.

Risk and Exploitability

The CVSS score reflects high severity, yet the EPSS score of less than 1% suggests a low current probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires a victim to open a malicious web page, providing remote access through the browser. The attacker obtains read‑only access to the victim’s process memory. While a public exploit has not been disclosed, the potential for information leakage warrants prompt remediation.

Generated by OpenCVE AI on April 2, 2026 at 05:12 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Google Chrome to version 146.0.7680.178 or newer
  • Ensure automatic updates are enabled and verify the browser is up‑to‑date
  • If updates are unavailable, restrict WebCodecs via enterprise policy or disable the feature through Chrome flags

Generated by OpenCVE AI on April 2, 2026 at 05:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6192-1 chromium security update
History

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Title Out-Of-Bounds Read Vulnerability in Chrome WebCodecs

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple macos
Google
Google chrome
Linux
Linux linux Kernel
Microsoft
Microsoft windows
CPEs cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Apple
Apple macos
Google
Google chrome
Linux
Linux linux Kernel
Microsoft
Microsoft windows
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 01 Apr 2026 05:00:00 +0000

Type Values Removed Values Added
Description Out of bounds read in WebCodecs in Google Chrome prior to 146.0.7680.178 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. (Chromium security severity: Medium)
Weaknesses CWE-125
References

Subscriptions

Apple Macos
Google Chrome
Linux Linux Kernel
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-04-02T03:55:37.633Z

Reserved: 2026-03-31T20:07:16.395Z

Link: CVE-2026-5292

cve-icon Vulnrichment

Updated: 2026-04-01T13:55:24.277Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-01T05:16:02.853

Modified: 2026-04-01T17:07:20.250

Link: CVE-2026-5292

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T20:18:08Z

Weaknesses