Description
Race in WebCodecs in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium)
Published: 2026-04-08
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A race condition exists in Chrome’s WebCodecs implementation that permits a remote attacker to read data from the browser’s process memory. An attacker can craft a malicious HTML page that exploits the timing flaw, allowing access to potentially sensitive information. This vulnerability falls under multiple concurrency weaknesses, as identified by CWE-362 and CWE-368, and is rated Medium in severity by Chromium’s own risk assessment.

Affected Systems

All users of Google Chrome that run versions prior to 147.0.7727.55 are affected. The vulnerability is specific to the Chrome product from Google, and it does not extend to other browsers or products.

Risk and Exploitability

Exploitability requires a remote attacker to persuade a user to load a page that triggers the race; the exact method is not described in detail, but it is inferred that a malicious HTML page or similar content would be used. The attacker would typically need to convince the user to visit such a page—through phishing, malicious advertisements, or compromised sites—and the access would be gained via the timing flaw in WebCodecs. The low EPSS score (<1%) suggests a modest likelihood of exploitation in the wild, and the vulnerability is not listed in the CISA KEV catalog. The CVSS base score of 7.5 places the flaw in the High severity range, indicating that successful exploitation could lead to a memory disclosure.

Generated by OpenCVE AI on June 2, 2026 at 17:56 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Google Chrome to version 147.0.7727.55 or later.
  • If an immediate upgrade is not feasible, start Chrome with the flag --disable-features=WebCodecs to prevent usage of the vulnerable API.
  • Review all installed Chrome extensions; remove or update those that rely on WebCodecs until the browser is patched.

Generated by OpenCVE AI on June 2, 2026 at 17:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6205-1 chromium security update
History

Tue, 02 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Thu, 16 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows
CPEs cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N'}

 cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N'}

Fri, 10 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
Title chromium-browser: Race in WebCodecs
Weaknesses CWE-368
References
Metrics threat_severity

None

 cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N'}

threat_severity

Moderate

Thu, 09 Apr 2026 08:30:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Wed, 08 Apr 2026 21:30:00 +0000

Type Values Removed Values Added
Description Race in WebCodecs in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium)
Weaknesses CWE-362
References

Subscriptions

Apple Macos
Google Chrome
Linux Linux Kernel
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-02T16:07:31.977Z

Reserved: 2026-04-08T19:34:40.168Z

Link: CVE-2026-5890

cve-icon Vulnrichment

Updated: 2026-04-09T17:26:25.599Z

cve-icon NVD

Status : Modified

Published: 2026-04-08T22:16:28.873

Modified: 2026-06-17T10:59:50.520

Link: CVE-2026-5890

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-07T00:00:00Z

Links: CVE-2026-5890 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-02T18:00:19Z

Weaknesses
  • CWE-362

    Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

  • CWE-368

    Context Switching Race Condition