CVE-2026-5280Use After Free in Google Chrome

CWE-416Use After FreeCWE-825Expired Pointer DereferenceCWE-295Improper Certificate Validation16 documents11 sources
Severity
8.8HIGHNVD
GHSA6.5
EPSS
0.1%
top 78.25%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Google ChromeChromium
Timeline
PublishedApr 1
Latest updateApr 2

Description

Use after free in WebCodecs in Google Chrome prior to 146.0.7680.178 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages3 packages

CVEListV5google/chrome146.0.7680.178146.0.7680.178
NVDgoogle/chrome< 146.0.7680.177
Debianchromium/chromium< 146.0.7680.177-1~deb12u1+2

🔴Vulnerability Details

5
GHSA
GHSA-rxr9-x3w7-wrh7: Use after free in WebCodecs in Google Chrome prior to 1462026-04-01
OSV
CVE-2026-5280: Use after free in WebCodecs in Google Chrome prior to 1462026-04-01
CVEList
CVE-2026-5280: Use after free in WebCodecs in Google Chrome prior to 1462026-04-01
GHSA
cryptography has incomplete DNS name constraint enforcement on peer names2026-03-27
GHSA
Forge has a basicConstraints bypass in its certificate chain verification (RFC 5280 violation)2026-03-26

📋Vendor Advisories

5
Microsoft
Chromium: CVE-2026-5280 Use after free in WebCodecs2026-04-02
Red Hat
chromium-browser: Use after free in WebCodecs2026-03-31
Chrome
Stable Channel Update for Desktop: CVE-2026-52782026-03-31
Red Hat
node-forge: Forge (node-forge): Certificate validation bypass allows unauthorized certificate issuance2026-03-27
Debian
CVE-2026-5280: chromium - Use after free in WebCodecs in Google Chrome prior to 146.0.7680.178 allowed a r...2026

🕵️Threat Intelligence

1
Wiz
CVE-2026-5280 Impact, Exploitability, and Mitigation Steps | Wiz

💬Community

3
Bugzilla
CVE-2026-5280 chromium: Use after free in WebCodecs [epel-all]2026-04-01
Bugzilla
CVE-2026-5280 chromium: Use after free in WebCodecs [fedora-all]2026-04-01
Bugzilla
CVE-2026-32884 Botan: Botan: Certificate validation bypass due to mixed-case Common Name in X.509 certificates2026-03-30
CVE-2026-5280 — Use After Free in Google Chrome | cvebase