CVE-2026-5889 - Vulnerability Details

- chromium-browser: Cryptographic Flaw in PDFium

Description

Cryptographic Flaw in PDFium in Google Chrome prior to 147.0.7727.55 allowed an attacker to read potentially sensitive information from encrypted PDFs via a brute-force attack. (Chromium security severity: Medium)

Published: 2026-04-08

Score: 4.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The flaw is located in PDFium, the PDF rendering engine used by Google Chrome. It permits a brute‑force attack that can recover the key for an encrypted PDF, allowing an attacker to read the document’s hidden content. The weakness involves impaired key management (CWE-326) and use of an insufficient cryptographic algorithm (CWE-334). The result is disclosure of confidential information that was intended to be protected by encryption.

Affected Systems

Google Chrome versions before 147.0.7727.55 on any operating system are impacted. Users who have not installed this update are vulnerable to the attack by interacting with a malicious PDF. The problem is confined to the browser; the underlying operating systems are not directly affected.

Risk and Exploitability

The vulnerability scores a moderate severity. The chance of widespread exploitation is low, and it is not listed in the CISA Known Exploited Vulnerabilities catalog. Successful exploitation requires an attacker to supply a malicious PDF that the victim opens. The attack demands several attempts and therefore represents a moderate effort for the adversary.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Google

Chrome

affected

Version	Status	Constraints
`147.0.7727.55`	affected	< 147.0.7727.55

Configuration 1 [-]

AND

cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*

OR	cpe:2.3:o:apple:macos:-:::::::*
	cpe:2.3:o:linux:linux_kernel:-:::::::*
	cpe:2.3:o:microsoft:windows:-:::::::*

No data.

Vendor Product Confidence Versions

Google

Chrome

100%

Version	Status	Scheme	Platform
`[147.0.7727.55,147.0.7727.55)`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update Google Chrome to version 147.0.7727.55 or later
Avoid opening PDF files from untrusted sources
Verify that your browser update has been applied by checking the About page or release notes

Generated by OpenCVE AI on April 14, 2026 at 13:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Debian DSA	DSA-6205-1	chromium security update

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00006.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop.html
https://issues.chromium.org/issues/486906037
https://nvd.nist.gov/vuln/detail/CVE-2026-5889
https://www.cve.org/CVERecord?id=CVE-2026-5889

History

Tue, 14 Apr 2026 12:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Apple Apple macos Linux Linux linux Kernel Microsoft Microsoft windows
CPEs		cpe:2.3:a:google:chrome:::::::: cpe:2.3:o:apple:macos:-:::::::* cpe:2.3:o:linux:linux_kernel:-:::::::* cpe:2.3:o:microsoft:windows:-:::::::*
Vendors & Products		Apple Apple macos Linux Linux linux Kernel Microsoft Microsoft windows

Mon, 13 Apr 2026 21:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-326
Metrics	cvssV3_1 `{'score': 6.2, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}`	ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}` cvssV3_1 `{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N'}`

Mon, 13 Apr 2026 14:30:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-327

Fri, 10 Apr 2026 12:15:00 +0000

Type	Values Removed	Values Added
Title	Cryptographic Brute‑Force Vulnerability in PDFium	chromium-browser: Cryptographic Flaw in PDFium
Weaknesses		CWE-334
References		https://nvd.nist.gov/vuln/detail/CVE-2026-5889 https://www.cve.org/CVERecord?id=CVE-2026-5889
Metrics	threat_severity `None`	cvssV3_1 `{'score': 6.2, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}` threat_severity `Moderate`

Thu, 09 Apr 2026 08:30:00 +0000

Type	Values Removed	Values Added
Title		Cryptographic Brute‑Force Vulnerability in PDFium
First Time appeared		Google Google chrome
Weaknesses		CWE-327
Vendors & Products		Google Google chrome

Wed, 08 Apr 2026 21:30:00 +0000

Type	Values Removed	Values Added
Description		Cryptographic Flaw in PDFium in Google Chrome prior to 147.0.7727.55 allowed an attacker to read potentially sensitive information from encrypted PDFs via a brute-force attack. (Chromium security severity: Medium)
References		https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/486906037

Subscriptions

Apple Macos

Google Chrome

Linux Linux Kernel

Microsoft Windows

MITRE

Status: PUBLISHED

Assigner: Chrome

Published: 2026-04-08T21:20:52.705Z

Updated: 2026-04-13T20:17:49.052Z

Reserved: 2026-04-08T19:34:39.903Z

Link: CVE-2026-5889

Vulnrichment

Updated: 2026-04-13T20:17:05.238Z

NVD

Status : Analyzed

Published: 2026-04-08T22:16:28.783

Modified: 2026-04-14T11:45:17.880

Link: CVE-2026-5889

Redhat

Severity : Moderate

Publid Date: 2026-04-07T00:00:00Z

Links: CVE-2026-5889 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-14T16:37:39Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction Required

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object