Description
Insufficient validation of untrusted input in WebML in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: Low)
Published: 2026-04-08
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution via Out‑of‑Bounds Memory Write
Action: Immediate Patch
AI Analysis

Impact

This flaw stems from insufficient validation of untrusted input in the WebML engine of Google Chrome. A crafted HTML page can trigger an out‑of‑bounds memory write, which may allow a remote attacker to execute arbitrary code on the victim’s machine. The weakness is related to improper bounds checks and unsafe memory handling, as reflected in the CWE identifiers for input validation failure and buffer overflow.

Affected Systems

The vulnerability affects Google Chrome versions earlier than 147.0.7727.55 across all major operating systems—including Windows, macOS, and Linux—as indicated by the corresponding CPE entries. Users of these browser versions are at risk when visiting malicious or compromised web content.

Risk and Exploitability

The CVSS score of 8.1 denotes a high severity, while the EPSS score below 1 % suggests that the exploitation probability is currently low. The issue is not listed in the CISA KEV catalog, indicating no confirmed widespread exploitation yet. The likely attack vector is a web page loaded in the victim’s browser; the attacker must host a malicious site that serves specially crafted content that triggers the out‑of‑bounds write. The impact could be complete system compromise if the memory corruption is successfully exploited.

Generated by OpenCVE AI on April 14, 2026 at 15:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Google Chrome to version 147.0.7727.55 or newer.
  • If an update is not immediately possible, restrict the use of the affected Chrome version or enforce strict browsing isolation such as a sandboxed environment.
  • Monitor for unusual application crashes or memory‑corruption symptoms, and stay informed about any vendor advisories or patches.

Generated by OpenCVE AI on April 14, 2026 at 15:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6205-1 chromium security update
History

Tue, 14 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows
CPEs cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows

Fri, 10 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
Title chromium-browser: Insufficient validation of untrusted input in WebML
Weaknesses CWE-787
References
Metrics threat_severity

None

 threat_severity

Low

Fri, 10 Apr 2026 10:00:00 +0000

Type Values Removed Values Added
Title Out-of-Bounds Memory Write in Chrome WebML via Crafted HTML

Thu, 09 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 09 Apr 2026 08:30:00 +0000

Type Values Removed Values Added
Title Out-of-Bounds Memory Write in Chrome WebML via Crafted HTML
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Wed, 08 Apr 2026 21:30:00 +0000

Type Values Removed Values Added
Description Insufficient validation of untrusted input in WebML in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: Low)
Weaknesses CWE-20
References

Subscriptions

Apple Macos
Google Chrome
Linux Linux Kernel
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-04-29T15:14:35.790Z

Reserved: 2026-04-08T19:34:47.097Z

Link: CVE-2026-5915

cve-icon Vulnrichment

Updated: 2026-04-09T14:33:52.688Z

cve-icon NVD

Status : Modified

Published: 2026-04-08T22:16:31.460

Modified: 2026-04-29T16:16:27.930

Link: CVE-2026-5915

cve-icon Redhat

Severity : Low

Publid Date: 2026-04-07T00:00:00Z

Links: CVE-2026-5915 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:37:06Z

Weaknesses