Description
Side-channel information leakage in Navigation in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)
Published: 2026-04-08
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑origin data leakage via crafted web page
Action: Apply Patch
AI Analysis

Impact

The vulnerability is a side‑channel information leak that occurs during navigation in Google Chrome. A maliciously crafted HTML page can trigger the browser to reveal data that belongs to other origins, enabling a remote attacker to read sensitive information. The issue is identified as CWE‑1300 for side‑channel leakage and CWE‑346 for logic flaw, and it does not provide execution of code or denial of service; its primary consequence is a confidentiality breach that may be used for credential theft or phishing amplification.

Affected Systems

All installations of Google Chrome that run any operating system—macOS, Linux, or Windows—are affected if the browser version is earlier than 147.0.7727.55. The vulnerability is fixed in Chrome 147.0.7727.55 and later, so updates beyond that version remove the flaw.

Risk and Exploitability

The CVSS score of 6.5 rates the vulnerability as medium severity, and the EPSS score of less than 1% suggests that attacks are currently rare. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is remote: a malicious web page that a user visits can trigger the leak, with no requirement for local privileges or advanced user knowledge. While the impact is limited to data leakage and does not allow arbitrary code execution, the ability to read cross‑origin data raises the risk of confidential information exposure.

Generated by OpenCVE AI on April 13, 2026 at 18:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Google Chrome to version 147.0.7727.55 or later.
  • Verify that the browser has the latest security patches applied.

Generated by OpenCVE AI on April 13, 2026 at 18:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6205-1 chromium security update
History

Mon, 13 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows
CPEs cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows

Sat, 11 Apr 2026 03:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N'}

Fri, 10 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Title Side-Channel Information Leakage via Navigation in Google Chrome chromium-browser: Side-channel information leakage in Navigation
Weaknesses CWE-346
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N'}

threat_severity

Moderate

Thu, 09 Apr 2026 08:30:00 +0000

Type Values Removed Values Added
Title Side-Channel Information Leakage via Navigation in Google Chrome
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Wed, 08 Apr 2026 21:30:00 +0000

Type Values Removed Values Added
Description Side-channel information leakage in Navigation in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)
Weaknesses CWE-1300
References

Subscriptions

Apple Macos
Google Chrome
Linux Linux Kernel
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-04-11T03:03:31.034Z

Reserved: 2026-04-08T19:34:36.637Z

Link: CVE-2026-5876

cve-icon Vulnrichment

Updated: 2026-04-11T03:03:21.829Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-08T22:16:27.210

Modified: 2026-04-13T17:40:36.747

Link: CVE-2026-5876

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-07T00:00:00Z

Links: CVE-2026-5876 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:37:51Z

Weaknesses