CVE-2026-7905 - Vulnerability Details

Description

Insufficient validation of untrusted input in Media in Google Chrome on Android prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

Published: 2026-05-06

Score: 8.3 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

This vulnerability is an example of insufficient input validation of untrusted media content in Google Chrome for Android. If an attacker can place specially crafted media within an HTML page and already compromises the renderer process, the browser can escape the sandbox and potentially execute code with elevated privileges. The weakness is classified as CWE-20, "Improper Input Validation," and the Chromium team assessed it with a high severity. This gives an attacker the ability to elevate privileges and potentially compromise the entire device if the sandbox is bypassed.

Affected Systems

Google Chrome installed on Android devices with versions older than 148.0.7778.96. Any Android device running the affected Chrome builds is vulnerable, while newer Chrome releases are not affected.

Risk and Exploitability

No EPSS score is available, and the flaw is not listed in the CISA KEV catalog. The CVE description states that a remote attacker who has already compromised the renderer process could escape the sandbox, with a CVSS score of 8.3 indicating high severity, implying that additional steps such as obtaining initial local code execution or a prior compromise are required to reach the flaw. Because the vendor has classified the issue as high severity and no exploit is known in the wild, the risk is considered moderate to high for environments that still run legacy Chrome versions.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Google

Chrome

affected

Version	Status	Constraints
`148.0.7778.96`	affected	< 148.0.7778.96

Configuration 1 [-]

AND

cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*

cpe:2.3:o:google:android:-:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Google

Chrome

100%

Version	Status	Scheme	Platform
`[148.0.7778.96,148.0.7778.96)`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update Google Chrome on all Android devices to a version that is 148.0.7778.96 or newer, which contains the patch for this sandbox escape.
If updating Chrome immediately is not possible, restrict or block untrusted media playback by using Chrome’s content settings or a suitable browser extension to prevent rendering of media from unverified sources.
For managed devices, configure Chrome Enterprise policies to enforce the latest stable channel and disable any legacy sandboxing exemptions that may exist for media features.

Generated by OpenCVE AI on May 7, 2026 at 00:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Debian DSA	DSA-6250-1	chromium security update

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00084.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html
https://issues.chromium.org/issues/495259842

History

Wed, 06 May 2026 23:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Google android
CPEs		cpe:2.3:a:google:chrome:::::::: cpe:2.3:o:google:android:-:::::::*
Vendors & Products		Google android

Wed, 06 May 2026 23:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Google Google chrome
Vendors & Products		Google Google chrome

Wed, 06 May 2026 22:15:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 8.3, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H'}` ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Wed, 06 May 2026 18:30:00 +0000

Type	Values Removed	Values Added
Description		Insufficient validation of untrusted input in Media in Google Chrome on Android prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
Weaknesses		CWE-20
References		https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/495259842

Subscriptions

Google Android Chrome

MITRE

Status: PUBLISHED

Assigner: Chrome

Published: 2026-05-06T18:12:28.128Z

Updated: 2026-05-07T03:56:38.912Z

Reserved: 2026-05-05T22:59:05.605Z

Link: CVE-2026-7905

Vulnrichment

Updated: 2026-05-06T20:32:54.692Z

NVD

Status : Analyzed

Published: 2026-05-06T19:16:38.800

Modified: 2026-05-06T23:42:08.677

Link: CVE-2026-7905

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-07T00:30:12Z

Weaknesses

CWE-20

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object