{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-5902", "assignerOrgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28", "state": "PUBLISHED", "assignerShortName": "Chrome", "dateReserved": "2026-04-08T19:34:43.375Z", "datePublished": "2026-04-08T21:21:00.103Z", "dateUpdated": "2026-04-08T21:21:00.103Z"}, "containers": {"cna": {"affected": [{"vendor": "Google", "product": "Chrome", "versions": [{"version": "147.0.7727.55", "status": "affected", "lessThan": "147.0.7727.55", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "Race in Media in Google Chrome on Android prior to 147.0.7727.55 allowed a remote attacker who had compromised the renderer process to corrupt media stream metadata via a crafted HTML page. (Chromium security severity: Low)"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Race", "cweId": "CWE-362"}]}], "providerMetadata": {"orgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28", "shortName": "Chrome", "dateUpdated": "2026-04-08T21:21:00.103Z"}, "references": [{"url": "https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop.html"}, {"url": "https://issues.chromium.org/issues/483109205"}]}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Race in Media in Google Chrome on Android prior to 147.0.7727.55 allowed a remote attacker who had compromised the renderer process to corrupt media stream metadata via a crafted HTML page. (Chromium security severity: Low)"}], "id": "CVE-2026-5902", "lastModified": "2026-04-08T22:16:30.080", "metrics": {}, "published": "2026-04-08T22:16:30.080", "references": [{"source": "chrome-cve-admin@google.com", "url": "https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop.html"}, {"source": "chrome-cve-admin@google.com", "url": "https://issues.chromium.org/issues/483109205"}], "sourceIdentifier": "chrome-cve-admin@google.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-362"}], "source": "chrome-cve-admin@google.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "147.0.7727.55"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Chrome", "source": "cna", "vendor": "Google"}, "product": "chrome", "vendor": "google"}], "analysis": {"en": {"generated_at": "2026-04-08T22:36:53.848458+00:00", "value": {"mitigation_remediation": ["Update Chrome on Android to version 147.0.7727.55 or later"], "summary": {"action": "Apply Patch", "impact": "Media Metadata Corruption"}, "threat_synthesis": {"affected_systems": "The vulnerability affects Google Chrome for Android versions earlier than 147.0.7727.55. Users of Chrome on Android should verify their current version and apply updates when available.", "description_and_impact": "A race condition in Chrome\u2019s media rendering code on Android allows a remote attacker who has already compromised the renderer process to corrupt media stream metadata via a crafted HTML page. The flaw does not grant arbitrary code execution or system compromise; instead it introduces malformed or inconsistent media data that could affect applications relying on accurate metadata. It is classified as a low\u2011severity issue by Chromium security reviewers.", "risk_and_exploitability": "The defect is rated low severity and is not listed in the CISA Known Exploited Vulnerabilities catalog. Exploitation requires the attacker to have already obtained control of the renderer process, which limits the attack surface. Without that prerequisite, the race condition cannot be triggered. No EPSS score is available, so the overall risk can be considered modest and primarily mitigated by keeping Chrome up to date."}}}}, "created": "2026-04-09T08:16:50.500641+00:00", "title": "Race Condition in Chrome Media Rendering Enables Metadata Corruption", "updated": "2026-04-09T08:26:16.703913+00:00", "vendors": ["google", "google$PRODUCT$chrome"]}