Description
Policy bypass in Audio in Google Chrome prior to 147.0.7727.55 allowed a remote attacker who convinced a user to engage in specific UI gestures to bypass sandbox download restrictions via a crafted HTML page. (Chromium security severity: Low)
Published: 2026-04-08
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Bypass sandbox download restrictions via crafted HTML
Action: Patch
AI Analysis

Impact

A vulnerability in Google Chrome’s audio policy allows a remote attacker to craft a web page that, when a user performs certain UI gestures, bypasses the browser’s sandbox download restrictions. The flaw is rooted in a protection mechanism failure and improper permission settings for sensitive data, as classified by CWE‑693 and CWE‑807.

Affected Systems

The issue affects Google Chrome versions earlier than 147.0.7727.55 on all major operating systems, including macOS, Windows and Linux distributions that run the Chromium engine.

Risk and Exploitability

The CVSS score of 6.1 indicates moderate severity, and the EPSS score of less than 1% suggests a low likelihood of exploitation. The flaw is not listed in the CISA KEV catalog, but successful exploitation requires a user to visit a malicious web page and perform specific UI gestures. Once triggered, an attacker could download files outside the sandbox, potentially leading to further compromise.

Generated by OpenCVE AI on April 14, 2026 at 17:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Google Chrome to version 147.0.7727.55 or later
  • Avoid interacting with untrusted audio content in web pages until the browser is updated

Generated by OpenCVE AI on April 14, 2026 at 17:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6205-1 chromium security update
History

Tue, 14 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284
CWE-285

Mon, 13 Apr 2026 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows
CPEs cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows

Mon, 13 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-693
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 10 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
Title Chrome Audio Policy Bypass Allowing Sandbox Download Escape chromium-browser: Policy bypass in Audio
Weaknesses CWE-807
References
Metrics threat_severity

None

 cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

threat_severity

Low

Thu, 09 Apr 2026 08:30:00 +0000

Type Values Removed Values Added
Title Chrome Audio Policy Bypass Allowing Sandbox Download Escape
First Time appeared Google
Google chrome
Weaknesses CWE-284
CWE-285
Vendors & Products Google
Google chrome

Wed, 08 Apr 2026 21:30:00 +0000

Type Values Removed Values Added
Description Policy bypass in Audio in Google Chrome prior to 147.0.7727.55 allowed a remote attacker who convinced a user to engage in specific UI gestures to bypass sandbox download restrictions via a crafted HTML page. (Chromium security severity: Low)
References

Subscriptions

Apple Macos
Google Chrome
Linux Linux Kernel
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-04-13T20:09:29.514Z

Reserved: 2026-04-08T19:34:41.736Z

Link: CVE-2026-5896

cve-icon Vulnrichment

Updated: 2026-04-13T20:08:56.194Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-08T22:16:29.500

Modified: 2026-04-13T21:18:20.650

Link: CVE-2026-5896

cve-icon Redhat

Severity : Low

Publid Date: 2026-04-07T00:00:00Z

Links: CVE-2026-5896 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T16:15:11Z

Weaknesses