Description
Side-channel information leakage in Navigation in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)
Published: 2026-04-08
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑origin data leakage via crafted page
Action: Patch
AI Analysis

Impact

The vulnerability arises from a side‑channel in the navigation procedure of Google Chrome before version 147.0.7727.55. A remote attacker can deliver a specifically crafted HTML page that causes the browser to expose data belonging to a different origin. The exposure enables a confidentiality breach, allowing the attacker to read sensitive information that should be isolated by the same‑origin policy. This weakness is characterized by the CWE numbers 1300 and 346.

Affected Systems

Google Chrome browsers on desktop platforms, any operating system, that are running a version older than 147.0.7727.55. Users with these early releases are at risk.

Risk and Exploitability

The CVSS score of 7.4 indicates a high threat level, while the EPSS score of less than 1 % suggests that large‑scale exploitation is unlikely at this time. The vulnerability is not present in the CISA KEV catalog. An attacker needs only to serve a malicious web page to the vulnerable client; no local privilege or network access is required. The attack vector is remote, through the browser’s rendering engine.

Generated by OpenCVE AI on April 10, 2026 at 01:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Google Chrome to version 147.0.7727.55 or later.
  • Enable automatic updates to receive security releases as soon as they are available.

Generated by OpenCVE AI on April 10, 2026 at 01:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6205-1 chromium security update
History

Sat, 11 Apr 2026 03:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N'}

Fri, 10 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Title Side-Channel Information Leakage via Navigation in Google Chrome chromium-browser: Side-channel information leakage in Navigation
Weaknesses CWE-346
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N'}

threat_severity

Moderate

Thu, 09 Apr 2026 08:30:00 +0000

Type Values Removed Values Added
Title Side-Channel Information Leakage via Navigation in Google Chrome
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Wed, 08 Apr 2026 21:30:00 +0000

Type Values Removed Values Added
Description Side-channel information leakage in Navigation in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)
Weaknesses CWE-1300
References

Subscriptions

Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-04-11T03:03:31.034Z

Reserved: 2026-04-08T19:34:36.637Z

Link: CVE-2026-5876

cve-icon Vulnrichment

Updated: 2026-04-11T03:03:21.829Z

cve-icon NVD

Status : Received

Published: 2026-04-08T22:16:27.210

Modified: 2026-04-11T04:17:14.377

Link: CVE-2026-5876

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-07T00:00:00Z

Links: CVE-2026-5876 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-10T09:40:24Z

Weaknesses