Description
Policy bypass in Audio in Google Chrome prior to 147.0.7727.55 allowed a remote attacker who convinced a user to engage in specific UI gestures to bypass sandbox download restrictions via a crafted HTML page. (Chromium security severity: Low)
Published: 2026-04-08
Score: n/a
EPSS: n/a
KEV: No
Impact: Sandbox Download Bypass via Policy Exfiltration
Action: Patch Now
AI Analysis

Impact

Chrome's audio policy enforcement allows a crafted webpage to trick a user into performing a specific set of UI interactions. The page can then bypass sandbox download restrictions, enabling the user to download files that would otherwise be blocked. This change opens a path for a remote attacker to obtain local files or slide into the sandbox boundaries, compromising data confidentiality and potentially facilitating further malicious activities.

Affected Systems

Google Chrome versions earlier than 147.0.7727.55 on the stable desktop channel are vulnerable. Only Chrome’s standard desktop build is affected; mobile or other platforms are not listed.

Risk and Exploitability

The vulnerability carries a low Chromium severity score and has no EPSS data or KEV listing, indicating a modest overall risk. Exploitation requires a remote attacker to persuade a user to browse a malicious HTML page and perform specific gestures. Because it relies on user interaction, the attack vector is “User Interaction” over “Remote Web.” Nevertheless, any compromised download could lead to sandbox escape or local file disclosure, so the potential impact is nontrivial if attackers succeed.

Generated by OpenCVE AI on April 8, 2026 at 22:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Google Chrome to version 147.0.7727.55 or newer.
  • Verify that automatic updates are enabled to receive future security releases.
  • Consider disabling sandbox downloads if temporary mitigation is needed until a patch is applied.

Generated by OpenCVE AI on April 8, 2026 at 22:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 09 Apr 2026 08:30:00 +0000

Type Values Removed Values Added
Title Chrome Audio Policy Bypass Allowing Sandbox Download Escape
First Time appeared Google
Google chrome
Weaknesses CWE-284
CWE-285
Vendors & Products Google
Google chrome

Wed, 08 Apr 2026 21:30:00 +0000

Type Values Removed Values Added
Description Policy bypass in Audio in Google Chrome prior to 147.0.7727.55 allowed a remote attacker who convinced a user to engage in specific UI gestures to bypass sandbox download restrictions via a crafted HTML page. (Chromium security severity: Low)
References

Subscriptions

Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-04-08T21:20:57.512Z

Reserved: 2026-04-08T19:34:41.736Z

Link: CVE-2026-5896

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-08T22:16:29.500

Modified: 2026-04-08T22:16:29.500

Link: CVE-2026-5896

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-09T08:26:22Z

Weaknesses