{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-5884", "assignerOrgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28", "state": "PUBLISHED", "assignerShortName": "Chrome", "dateReserved": "2026-04-08T19:34:38.433Z", "datePublished": "2026-04-08T21:20:50.785Z", "dateUpdated": "2026-04-08T21:20:50.785Z"}, "containers": {"cna": {"affected": [{"vendor": "Google", "product": "Chrome", "versions": [{"version": "147.0.7727.55", "status": "affected", "lessThan": "147.0.7727.55", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "Insufficient validation of untrusted input in Media in Google Chrome prior to 147.0.7727.55 allowed a remote attacker who had compromised the renderer process to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium)"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Insufficient validation of untrusted input", "cweId": "CWE-20"}]}], "providerMetadata": {"orgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28", "shortName": "Chrome", "dateUpdated": "2026-04-08T21:20:50.785Z"}, "references": [{"url": "https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop.html"}, {"url": "https://issues.chromium.org/issues/484547633"}]}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Insufficient validation of untrusted input in Media in Google Chrome prior to 147.0.7727.55 allowed a remote attacker who had compromised the renderer process to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium)"}], "id": "CVE-2026-5884", "lastModified": "2026-04-08T22:16:28.050", "metrics": {}, "published": "2026-04-08T22:16:28.050", "references": [{"source": "chrome-cve-admin@google.com", "url": "https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop.html"}, {"source": "chrome-cve-admin@google.com", "url": "https://issues.chromium.org/issues/484547633"}], "sourceIdentifier": "chrome-cve-admin@google.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "chrome-cve-admin@google.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[147.0.7727.55,147.0.7727.55)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Chrome", "source": "cna", "vendor": "Google"}, "product": "chrome", "vendor": "google"}], "analysis": {"en": {"generated_at": "2026-04-09T00:35:41.454243+00:00", "value": {"mitigation_remediation": ["Upgrade Google Chrome to version 147.0.7727.55 or newer.", "If an upgrade cannot be performed immediately, avoid loading or interacting with untrusted media content in the affected browser version.", "Keep the browser updated regularly and monitor for further security releases from Google."], "summary": {"action": "Patch Now", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "Google Chrome desktop installations \u2013 Windows, macOS, and Linux \u2013 using the stable channel version 147.0.7727.52 or earlier are affected. The advisory lists the vulnerable range up to 147.0.7727.55, which is released as a security update for all three operating systems. Any user who has not yet updated to this version is potentially exposed.", "description_and_impact": "An insufficient validation of untrusted input in the Media component of Google Chrome 147.0.7727.55 and earlier allows a remote attacker, whose prior compromise has already taken control of a renderer process, to cause execution of arbitrary code inside the sandboxed renderer. The flaw is a classic input\u2011validation issue (CWE\u201120) that fails to sanitize data coming from untrusted HTML, enabling the attacker to inject malicious payloads. Because the code runs with renderer\u2011level privileges, it can tamper with browser state, steal information, or pivot to more privileged layers if a sandbox escape is achieved.", "risk_and_exploitability": "Chromium labels the vulnerability as Medium severity and it is not currently listed in the CISA KEV catalog, indicating no publicly documented widespread exploitation. EPSS data is not available, so the probability of a real\u2011world attack remains uncertain. However, the circumstances needed for exploitation \u2013 an attacker that has first compromised the renderer process and then navigates to a crafted page \u2013 represent a realistic attack vector for advanced persistent threats or malware campaigns that target browser weaknesses. The code runs within the sandbox, so the risk of full system compromise depends on a successful sandbox escape; without that, the threat is limited to browser\u2011level attacks."}}}}, "created": "2026-04-09T08:17:18.509959+00:00", "title": "Chrome Media Input Validation Flaw Allows Remote Code Execution in Renderer Sandbox", "updated": "2026-04-09T08:26:42.140937+00:00", "vendors": ["google", "google$PRODUCT$chrome"]}