{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-5909", "assignerOrgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28", "state": "PUBLISHED", "assignerShortName": "Chrome", "dateReserved": "2026-04-08T19:34:45.718Z", "datePublished": "2026-04-08T21:21:04.162Z", "dateUpdated": "2026-04-08T21:21:04.162Z"}, "containers": {"cna": {"affected": [{"vendor": "Google", "product": "Chrome", "versions": [{"version": "147.0.7727.55", "status": "affected", "lessThan": "147.0.7727.55", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "Integer overflow in Media in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to potentially exploit heap corruption via a crafted video file. (Chromium security severity: Low)"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Integer overflow", "cweId": "CWE-472"}]}], "providerMetadata": {"orgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28", "shortName": "Chrome", "dateUpdated": "2026-04-08T21:21:04.162Z"}, "references": [{"url": "https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop.html"}, {"url": "https://issues.chromium.org/issues/485203821"}]}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Integer overflow in Media in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to potentially exploit heap corruption via a crafted video file. (Chromium security severity: Low)"}], "id": "CVE-2026-5909", "lastModified": "2026-04-08T22:16:30.790", "metrics": {}, "published": "2026-04-08T22:16:30.790", "references": [{"source": "chrome-cve-admin@google.com", "url": "https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop.html"}, {"source": "chrome-cve-admin@google.com", "url": "https://issues.chromium.org/issues/485203821"}], "sourceIdentifier": "chrome-cve-admin@google.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-472"}], "source": "chrome-cve-admin@google.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,147.0.7727.55)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Chrome", "source": "cna", "vendor": "Google"}, "product": "chrome", "vendor": "google"}], "analysis": {"en": {"generated_at": "2026-04-08T22:56:23.529089+00:00", "value": {"mitigation_remediation": ["Upgrade Google Chrome to version 147.0.7727.55 or later", "Verify that the browser starts normally and confirm that mixed\u2011content warnings are no longer triggered"], "summary": {"action": "Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "Google Chrome browsers running any release version earlier than 147.0.7727.55 are affected. This includes all desktop and mobile builds of Chrome before that release. No other vendors or product lines are impacted.", "description_and_impact": "An integer overflow occurs within Chrome's media handling components in any build prior to version 147.0.7727.55. When a specially crafted video file is parsed, the overflow can corrupt the heap and potentially allow an attacker to execute arbitrary code in the context of the browser process. The vulnerability is considered to enable remote code execution, though the severity scored low in Chromium's internal review.", "risk_and_exploitability": "No EPSS score is available and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog, suggesting it is not currently known to be widely exploited. The likely attack vector is remote \u2013 an attacker can serve a malicious video file to a user who opens or streams it in Chrome. While the severity is low, heap corruption offers a pathway to leverage additional exploits or pivot into the operating system if successful."}}}}, "created": "2026-04-09T08:16:43.737497+00:00", "title": "Integer Overflow in Chrome Media Engine Enables Heap Corruption via Malicious Video", "updated": "2026-04-09T08:26:09.884684+00:00", "vendors": ["google", "google$PRODUCT$chrome"]}