Description
Integer overflow in Media in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to potentially exploit heap corruption via a crafted video file. (Chromium security severity: Low)
Published: 2026-04-08
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Heap Corruption
Action: Patch
AI Analysis

Impact

An integer overflow in the media parser triggers during the processing of a video file. When a maliciously crafted file is parsed, the overflow can corrupt heap memory and potentially disrupt browser operation or compromise user data. The weakness corresponds to integer overrun (CWE‑190) and improper memory boundary handling (CWE‑472).

Affected Systems

Google Chrome versions prior to 147.0.7727.55 on Windows, macOS, and Linux are affected, as the flaw exists in all builds before this update.

Risk and Exploitability

The vulnerability has a CVSS score of 8.8, indicating high severity. The EPSS score is below 1%, suggesting a low probability of exploitation. It is not cited in the CISA Known Exploited Vulnerabilities list, which reduces the likelihood that it is actively leveraged. The probable attack vector involves delivering a crafted video file that the browser automatically parses; onset of heap corruption would then allow further exploitation if additional weaknesses exist.

Generated by OpenCVE AI on April 14, 2026 at 16:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Chrome update (147.0.7727.55 or later).
  • If an update cannot be applied immediately, disable or restrict media playback until the update is available.

Generated by OpenCVE AI on April 14, 2026 at 16:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6205-1 chromium security update
History

Tue, 14 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows
CPEs cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows

Fri, 10 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
Title chromium-browser: Integer overflow in Media
Weaknesses CWE-190
References
Metrics threat_severity

None

 threat_severity

Low

Fri, 10 Apr 2026 10:00:00 +0000

Type Values Removed Values Added
Title Potential Heap Corruption from Integer Overflow in Chrome Media Processing

Thu, 09 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 09 Apr 2026 08:30:00 +0000

Type Values Removed Values Added
Title Potential Heap Corruption from Integer Overflow in Chrome Media Processing
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Wed, 08 Apr 2026 21:30:00 +0000

Type Values Removed Values Added
Description Integer overflow in Media in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to potentially exploit heap corruption via a crafted video file. (Chromium security severity: Low)
Weaknesses CWE-472
References

Subscriptions

Apple Macos
Google Chrome
Linux Linux Kernel
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-04-29T15:13:24.723Z

Reserved: 2026-04-08T19:34:44.856Z

Link: CVE-2026-5908

cve-icon Vulnrichment

Updated: 2026-04-09T15:27:17.496Z

cve-icon NVD

Status : Modified

Published: 2026-04-08T22:16:30.677

Modified: 2026-04-29T16:16:26.823

Link: CVE-2026-5908

cve-icon Redhat

Severity : Low

Publid Date: 2026-04-07T00:00:00Z

Links: CVE-2026-5908 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:39:38Z

Weaknesses