CVE-2026-5907
published 2026-04-08CVE-2026-5907: Insufficient data validation in Media in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to perform an out of bounds memory read via a crafted…
high8.1CVSS 3.1
AVNACLPRNUIRSUCHINAH
Insufficient data validation in Media in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to perform an out of bounds memory read via a crafted video file. (Chromium security severity: Low)
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | chromium | < chromium 147.0.7727.55-1 (sid) | chromium 147.0.7727.55-1 (sid) |
| chrome | >= 147.0.7727.55 < 147.0.7727.55 | 147.0.7727.55 | |
| chrome_chrome | — | — |
CVSS provenance
nvdv3.18.1HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H
osv8.1HIGH
Chrome
Stable Channel Update for ChromeOS / ChromeOS Flex: CVE-2026-5907
vendor_chrome·2026-04-22·CVSS 8.1
CVE-2026-5907 [HIGH] Stable Channel Update for ChromeOS / ChromeOS Flex: CVE-2026-5907
Stable Channel Update for ChromeOS / ChromeOS Flex
CVE-2026-5907
Chrome
Stable Channel Update for Desktop: CVE-2026-5906
vendor_chrome·2026-04-07·CVSS 4.3
CVE-2026-5906 [LOW] Stable Channel Update for Desktop: CVE-2026-5906
Stable Channel Update for Desktop
CVE-2026-5906: Incorrect security UI in Omnibox. Reported by mohamedhesham9173 on 2026-02-13 [TBD][ 484665123 ] Low CVE-2026-5907: Insufficient data validation in Media
Reported by Luke Francis on 2026-02-15 [TBD][ 485115554 ] Low CVE-2026-5908: Integer overflow in Media
Severity: low
Red Hat
chromium-browser: Insufficient data validation in Media
vendor_redhat·2026-04-07·CVSS 8.1
CVE-2026-5907 [HIGH] CWE-125 chromium-browser: Insufficient data validation in Media
chromium-browser: Insufficient data validation in Media
An insufficient data validation flaw was found in the Media component of the Chromium browser.
Upstream bug(s):
https://code.google.com/p/chromium/issues/detail?id=484665123
Statement: Red Hat Product Security rates the severity of this flaw as determined by the Google Chrome Security Advisory.
Debian
CVE-2026-5907: chromium - Insufficient data validation in Media in Google Chrome prior to 147.0.7727.55 al...
vendor_debian·2026·CVSS 8.1
CVE-2026-5907 [HIGH] CVE-2026-5907: chromium - Insufficient data validation in Media in Google Chrome prior to 147.0.7727.55 al...
Insufficient data validation in Media in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to perform an out of bounds memory read via a crafted video file. (Chromium security severity: Low)
Scope: local
bookworm: open
bullseye: open
forky: open
sid: resolved (fixed in 147.0.7727.55-1)
trixie: open
GHSA
GHSA-96rx-8295-gjvx: Insufficient data validation in Media in Google Chrome prior to 147
ghsa_unreviewed·2026-04-09
CVE-2026-5907 [HIGH] CWE-125 GHSA-96rx-8295-gjvx: Insufficient data validation in Media in Google Chrome prior to 147
Insufficient data validation in Media in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to perform an out of bounds memory read via a crafted video file. (Chromium security severity: Low)
OSV
CVE-2026-5907: Insufficient data validation in Media in Google Chrome prior to 147
osv·2026-04-08·CVSS 8.1
CVE-2026-5907 [HIGH] CVE-2026-5907: Insufficient data validation in Media in Google Chrome prior to 147
Insufficient data validation in Media in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to perform an out of bounds memory read via a crafted video file. (Chromium security severity: Low)
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-5907 chromium-browser: Insufficient data validation in Media
bugzilla·2026-04-08·CVSS 8.1
CVE-2026-5907 [HIGH] CVE-2026-5907 chromium-browser: Insufficient data validation in Media
CVE-2026-5907 chromium-browser: Insufficient data validation in Media
Insufficient data validation in Media in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to perform an out of bounds memory read via a crafted video file. (Chromium security severity: Low)
Sans Isc
Microsoft Patch Tuesday April 2026., (Tue, Apr 14th)
blogs_sans_isc·2026-04-14·CVSS 8.8
[HIGH] Microsoft Patch Tuesday April 2026., (Tue, Apr 14th)
Microsoft Patch Tuesday April 2026.
Published: 2026-04-14. Last Updated: 2026-04-14 17:46:09 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)
This month's Microsoft Patch Tuesday looks like a record one, but let's look at it a bit closer to understand what is happening
The update patches a total of 243 vulnerabilities. However, 78 of them are Chromium issues affecting Microsoft Edge. Patches for Edge were released earlier. This leaves 165 vulnerabilities that are not Edge-related. Of these, 8 are rated critical, and 154 are important. One vulnerability has already been exploited, and another was made public before today but has not yet been seen in the wild.
Noteworthy Vulnerabilities:
CVE-2026-33827 (Windows TCP/IP Remote Code Execution Vulnerability): As a packet nerd, I love thes
Wiz
CVE-2026-5907 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.1
CVE-2026-5907 [HIGH] CVE-2026-5907 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-5907 :
Google Chrome vulnerability analysis and mitigation
Insufficient data validation in Media in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to perform an out of bounds memory read via a crafted video file. (Chromium security severity: Low)
Source : NVD
## 8.1
Score
Published April 8, 2026
Severity HIGH
CNA Score 8.1
Affected Technologies
Google Chrome
Chromium
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 10.4
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cpe:2.3:a:google:chrome
chromium
Sources
NVD
Debian 11, 12, 13, 14 Severity HIGH No Fix Added at: Apr 09, 2026
Echo Severity HIGH No Fix Added at: Apr 09, 2026
Linux
2026-04-08
Published