Description
Insufficient validation of untrusted input in WebML in Google Chrome on Windows prior to 147.0.7727.55 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium)
Published: 2026-04-08
Score: n/a
EPSS: n/a
KEV: No
Impact: Information Disclosure
Action: Patch Immediately
AI Analysis

Impact

Chrome for Windows prior to 147.0.7727.55 contains an insufficient input validation flaw in WebML. A remote attacker can embed malicious content in an otherwise harmless HTML page, causing the browser to read arbitrary memory while processing WebML data. This allows the attacker to obtain potentially sensitive information from the process memory, resulting in an informational disclosure that could expose confidential user data. The weakness is a classic input validation issue (CWE‑20).

Affected Systems

The vulnerability affects Google Chrome running on Windows operating systems. Any installation of Chrome before version 147.0.7727.55 is susceptible, regardless of channel, as the patch is released for all stable releases. Users on newer versions are not impacted.

Risk and Exploitability

Overall risk is moderate. The flaw is exploitable remotely through a crafted web page without requiring user interaction beyond visiting the page. No authentication or elevated privileges are needed. While the EPSS score is not provided and the vulnerability is not listed in CISA’s KEV catalog, the medium severity rating and the ability to exfiltrate memory indicate a non-negligible threat if an attacker can supply malicious content to the victim’s browser.

Generated by OpenCVE AI on April 8, 2026 at 22:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Chrome to version 147.0.7727.55 or later
  • Verify that automatic updates are enabled to receive the latest security patches
  • If unable to update, consider disabling WebML support in Chrome settings (if available) or use a browser with patches applied

Generated by OpenCVE AI on April 8, 2026 at 22:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 09 Apr 2026 08:30:00 +0000

Type Values Removed Values Added
Title Unvalidated WebML Input Enables Memory Information Disclosure in Chrome on Windows
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Wed, 08 Apr 2026 21:30:00 +0000

Type Values Removed Values Added
Description Insufficient validation of untrusted input in WebML in Google Chrome on Windows prior to 147.0.7727.55 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium)
Weaknesses CWE-20
References

Subscriptions

Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-04-08T21:20:51.118Z

Reserved: 2026-04-08T19:34:38.682Z

Link: CVE-2026-5885

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-08T22:16:28.167

Modified: 2026-04-08T22:16:28.167

Link: CVE-2026-5885

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-09T08:26:41Z

Weaknesses