Description
Integer overflow in Media in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to potentially exploit heap corruption via a crafted video file. (Chromium security severity: Low)
Published: 2026-04-08
Score: n/a
EPSS: n/a
KEV: No
Impact: Remote Code Execution
Action: Patch
AI Analysis

Impact

An integer overflow occurs within Chrome's media handling components in any build prior to version 147.0.7727.55. When a specially crafted video file is parsed, the overflow can corrupt the heap and potentially allow an attacker to execute arbitrary code in the context of the browser process. The vulnerability is considered to enable remote code execution, though the severity scored low in Chromium's internal review.

Affected Systems

Google Chrome browsers running any release version earlier than 147.0.7727.55 are affected. This includes all desktop and mobile builds of Chrome before that release. No other vendors or product lines are impacted.

Risk and Exploitability

No EPSS score is available and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog, suggesting it is not currently known to be widely exploited. The likely attack vector is remote – an attacker can serve a malicious video file to a user who opens or streams it in Chrome. While the severity is low, heap corruption offers a pathway to leverage additional exploits or pivot into the operating system if successful.

Generated by OpenCVE AI on April 8, 2026 at 22:56 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Google Chrome to version 147.0.7727.55 or later
  • Verify that the browser starts normally and confirm that mixed‑content warnings are no longer triggered

Generated by OpenCVE AI on April 8, 2026 at 22:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 09 Apr 2026 08:30:00 +0000

Type Values Removed Values Added
Title Integer Overflow in Chrome Media Engine Enables Heap Corruption via Malicious Video
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Wed, 08 Apr 2026 21:30:00 +0000

Type Values Removed Values Added
Description Integer overflow in Media in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to potentially exploit heap corruption via a crafted video file. (Chromium security severity: Low)
Weaknesses CWE-472
References

Subscriptions

Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-04-08T21:21:04.162Z

Reserved: 2026-04-08T19:34:45.718Z

Link: CVE-2026-5909

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-08T22:16:30.790

Modified: 2026-04-08T22:16:30.790

Link: CVE-2026-5909

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-09T08:26:09Z

Weaknesses