CVE-2026-5886 - Vulnerability Details

- chromium-browser: Out of bounds read in WebAudio

Description

Out of bounds read in WebAudio in Google Chrome on Mac prior to 147.0.7727.55 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium)

Published: 2026-04-08

Score: 5.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

An out‑of‑bounds read in the WebAudio engine of Google Chrome on macOS allows a remote attacker to read data from the browser’s process memory when rendering a specially crafted HTML page. The vulnerability, identified as CWE‑125, provides an attacker the ability to obtain potentially sensitive information, leading to a medium‑severity information‑disclosure risk.

Affected Systems

The flaw affects the Chrome web browser, specifically versions before 147.0.7727.55 running on macOS. Apple macOS is the operating system listed in the CPE, and the issue was reported for Google’s Chrome product on that platform.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate risk, and the EPSS metric of less than 1% suggests a low likelihood of exploitation at present. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires delivery of a malicious HTML page through the WebAudio API, making the attack a remote, within‑browser vector that can be launched from any website the victim visits. Because it is an information‑disclosure flaw, it primarily affects confidentiality rather than integrity or availability.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Google

Chrome

affected

Version	Status	Constraints
`147.0.7727.55`	affected	< 147.0.7727.55

Configuration 1 [-]

AND

cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*

cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Google

Chrome

100%

Version	Status	Scheme	Platform
`[0,147.0.7727.55)`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update Google Chrome to the latest stable version (≥ 147.0.7727.55).
Verify that the update has taken effect by checking chrome://settings/help.
If immediate update is not possible, avoid browsing sites that serve malicious WebAudio content or use an un‑affected browser.

Generated by OpenCVE AI on April 13, 2026 at 22:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Debian DSA	DSA-6205-1	chromium security update

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.0003.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop.html
https://issues.chromium.org/issues/485397283
https://nvd.nist.gov/vuln/detail/CVE-2026-5886
https://www.cve.org/CVERecord?id=CVE-2026-5886

History

Mon, 13 Apr 2026 21:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Apple Apple macos
CPEs		cpe:2.3:a:google:chrome:::::::: cpe:2.3:o:apple:macos:-:::::::*
Vendors & Products		Apple Apple macos

Mon, 13 Apr 2026 14:15:00 +0000

Type	Values Removed	Values Added
Metrics	cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}`	cvssV3_1 `{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N'}`

Fri, 10 Apr 2026 19:15:00 +0000

Type	Values Removed	Values Added
Metrics	cvssV3_1 `{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N'}`	ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}` cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}`

Fri, 10 Apr 2026 12:15:00 +0000

Type	Values Removed	Values Added
Title		chromium-browser: Out of bounds read in WebAudio
References		https://nvd.nist.gov/vuln/detail/CVE-2026-5886 https://www.cve.org/CVERecord?id=CVE-2026-5886
Metrics	threat_severity `None`	cvssV3_1 `{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N'}` threat_severity `Moderate`

Thu, 09 Apr 2026 08:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Google Google chrome
Vendors & Products		Google Google chrome

Wed, 08 Apr 2026 21:30:00 +0000

Type	Values Removed	Values Added
Description		Out of bounds read in WebAudio in Google Chrome on Mac prior to 147.0.7727.55 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium)
Weaknesses		CWE-125
References		https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/485397283

Subscriptions

Apple Macos

Google Chrome

MITRE

Status: PUBLISHED

Assigner: Chrome

Published: 2026-04-08T21:20:51.484Z

Updated: 2026-04-13T13:57:12.865Z

Reserved: 2026-04-08T19:34:39.130Z

Link: CVE-2026-5886

Vulnrichment

Updated: 2026-04-10T18:38:50.949Z

NVD

Status : Analyzed

Published: 2026-04-08T22:16:28.367

Modified: 2026-04-13T21:19:35.253

Link: CVE-2026-5886

Redhat

Severity : Moderate

Publid Date: 2026-04-07T00:00:00Z

Links: CVE-2026-5886 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-14T16:37:42Z

Weaknesses

CWE-125

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction Required

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object