CVE-2026-5902
published 2026-04-08CVE-2026-5902: Race in Media in Google Chrome on Android prior to 147.0.7727.55 allowed a remote attacker who had compromised the renderer process to corrupt media stream…
critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
Race in Media in Google Chrome on Android prior to 147.0.7727.55 allowed a remote attacker who had compromised the renderer process to corrupt media stream metadata via a crafted HTML page. (Chromium security severity: Low)
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | chromium | < chromium 147.0.7727.55-1 (sid) | chromium 147.0.7727.55-1 (sid) |
| chrome | < 147.0.7727.55 | 147.0.7727.55 | |
| chrome | >= 147.0.7727.55 < 147.0.7727.55 | 147.0.7727.55 | |
| chrome_chrome | — | — |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
osv9.8CRITICAL
Red Hat
chromium-browser: Race in Media
vendor_redhat·2026-04-07·CVSS 9.8
CVE-2026-5902 [CRITICAL] CWE-368 chromium-browser: Race in Media
chromium-browser: Race in Media
A race flaw was found in the Media component of the Chromium browser.
Upstream bug(s):
https://code.google.com/p/chromium/issues/detail?id=483109205
Statement: Red Hat Product Security rates the severity of this flaw as determined by the Google Chrome Security Advisory.
Chrome
Stable Channel Update for Desktop: CVE-2026-5900
vendor_chrome·2026-04-07·CVSS 4.3
CVE-2026-5900 [LOW] Stable Channel Update for Desktop: CVE-2026-5900
Stable Channel Update for Desktop
CVE-2026-5900: Policy bypass in Downloads. Reported by Luan Herrera (@lbherrera_) on 2026-01-13 [TBD][ 479673903 ] Low CVE-2026-5901: Policy bypass in DevTools
Reported by Povcfe of Tencent Security Xuanwu Lab on 2026-01-29 [TBD][ 483109205 ] Low CVE-2026-5902: Race in Media
Severity: low
Debian
CVE-2026-5902: chromium - Race in Media in Google Chrome on Android prior to 147.0.7727.55 allowed a remot...
vendor_debian·2026·CVSS 9.8
CVE-2026-5902 [CRITICAL] CVE-2026-5902: chromium - Race in Media in Google Chrome on Android prior to 147.0.7727.55 allowed a remot...
Race in Media in Google Chrome on Android prior to 147.0.7727.55 allowed a remote attacker who had compromised the renderer process to corrupt media stream metadata via a crafted HTML page. (Chromium security severity: Low)
Scope: local
bookworm: open
bullseye: open
forky: open
sid: resolved (fixed in 147.0.7727.55-1)
trixie: open
VulDB
Google Chrome up to 146.0.7680.178 on Android Media race condition (ID 483109 / Nessus ID 305688)
vuldb·2026-04-13·CVSS 9.8
CVE-2026-5902 [CRITICAL] Google Chrome up to 146.0.7680.178 on Android Media race condition (ID 483109 / Nessus ID 305688)
A vulnerability, which was classified as problematic, has been found in Google Chrome on Android. Affected is an unknown function of the component Media. The manipulation leads to race condition.
This vulnerability is traded as CVE-2026-5902. It is possible to initiate the attack remotely. There is no exploit available.
It is advisable to upgrade the affected component.
GHSA
GHSA-mxfw-g2rw-x783: Race in Media in Google Chrome on Android prior to 147
ghsa_unreviewed·2026-04-09
CVE-2026-5902 CWE-362 GHSA-mxfw-g2rw-x783: Race in Media in Google Chrome on Android prior to 147
Race in Media in Google Chrome on Android prior to 147.0.7727.55 allowed a remote attacker who had compromised the renderer process to corrupt media stream metadata via a crafted HTML page. (Chromium security severity: Low)
OSV
CVE-2026-5902: Race in Media in Google Chrome on Android prior to 147
osv·2026-04-08·CVSS 9.8
CVE-2026-5902 [CRITICAL] CVE-2026-5902: Race in Media in Google Chrome on Android prior to 147
Race in Media in Google Chrome on Android prior to 147.0.7727.55 allowed a remote attacker who had compromised the renderer process to corrupt media stream metadata via a crafted HTML page. (Chromium security severity: Low)
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-5902 chromium-browser: Race in Media
bugzilla·2026-04-08·CVSS 9.8
CVE-2026-5902 [CRITICAL] CVE-2026-5902 chromium-browser: Race in Media
CVE-2026-5902 chromium-browser: Race in Media
Race in Media in Google Chrome on Android prior to 147.0.7727.55 allowed a remote attacker who had compromised the renderer process to corrupt media stream metadata via a crafted HTML page. (Chromium security severity: Low)
Sans Isc
Microsoft Patch Tuesday April 2026., (Tue, Apr 14th)
blogs_sans_isc·2026-04-14·CVSS 8.8
[HIGH] Microsoft Patch Tuesday April 2026., (Tue, Apr 14th)
Microsoft Patch Tuesday April 2026.
Published: 2026-04-14. Last Updated: 2026-04-14 17:46:09 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)
This month's Microsoft Patch Tuesday looks like a record one, but let's look at it a bit closer to understand what is happening
The update patches a total of 243 vulnerabilities. However, 78 of them are Chromium issues affecting Microsoft Edge. Patches for Edge were released earlier. This leaves 165 vulnerabilities that are not Edge-related. Of these, 8 are rated critical, and 154 are important. One vulnerability has already been exploited, and another was made public before today but has not yet been seen in the wild.
Noteworthy Vulnerabilities:
CVE-2026-33827 (Windows TCP/IP Remote Code Execution Vulnerability): As a packet nerd, I love thes
Wiz
CVE-2026-5902 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.8
CVE-2026-5902 [HIGH] CVE-2026-5902 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-5902 :
Google Chrome vulnerability analysis and mitigation
Race in Media in Google Chrome on Android prior to 147.0.7727.55 allowed a remote attacker who had compromised the renderer process to corrupt media stream metadata via a crafted HTML page. (Chromium security severity: Low)
Source : NVD
Published April 8, 2026
CNA Score N/A
Affected Technologies
Google Chrome
Chromium
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 9.2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cpe:2.3:a:google:chrome
chromium
Sources
NVD
Debian 11, 12, 13, 14 No Fix Added at: Apr 09, 2026
Echo No Fix Added at: Apr 09, 2026
Linux Has Fix Added at: Apr 09, 2026
Windows
2026-04-08
Published