{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-5885", "assignerOrgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28", "state": "PUBLISHED", "assignerShortName": "Chrome", "dateReserved": "2026-04-08T19:34:38.682Z", "datePublished": "2026-04-08T21:20:51.118Z", "dateUpdated": "2026-04-08T21:20:51.118Z"}, "containers": {"cna": {"affected": [{"vendor": "Google", "product": "Chrome", "versions": [{"version": "147.0.7727.55", "status": "affected", "lessThan": "147.0.7727.55", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "Insufficient validation of untrusted input in WebML in Google Chrome on Windows prior to 147.0.7727.55 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium)"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Insufficient validation of untrusted input", "cweId": "CWE-20"}]}], "providerMetadata": {"orgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28", "shortName": "Chrome", "dateUpdated": "2026-04-08T21:20:51.118Z"}, "references": [{"url": "https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop.html"}, {"url": "https://issues.chromium.org/issues/485203823"}]}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Insufficient validation of untrusted input in WebML in Google Chrome on Windows prior to 147.0.7727.55 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium)"}], "id": "CVE-2026-5885", "lastModified": "2026-04-08T22:16:28.167", "metrics": {}, "published": "2026-04-08T22:16:28.167", "references": [{"source": "chrome-cve-admin@google.com", "url": "https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop.html"}, {"source": "chrome-cve-admin@google.com", "url": "https://issues.chromium.org/issues/485203823"}], "sourceIdentifier": "chrome-cve-admin@google.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "chrome-cve-admin@google.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[147.0.7727.55,147.0.7727.55)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Chrome", "source": "cna", "vendor": "Google"}, "product": "chrome", "vendor": "google"}], "analysis": {"en": {"generated_at": "2026-04-08T22:42:42.001609+00:00", "value": {"mitigation_remediation": ["Update Chrome to version 147.0.7727.55 or later", "Verify that automatic updates are enabled to receive the latest security patches", "If unable to update, consider disabling WebML support in Chrome settings (if available) or use a browser with patches applied"], "summary": {"action": "Patch Immediately", "impact": "Information Disclosure"}, "threat_synthesis": {"affected_systems": "The vulnerability affects Google Chrome running on Windows operating systems. Any installation of Chrome before version 147.0.7727.55 is susceptible, regardless of channel, as the patch is released for all stable releases. Users on newer versions are not impacted.", "description_and_impact": "Chrome for Windows prior to 147.0.7727.55 contains an insufficient input validation flaw in WebML. A remote attacker can embed malicious content in an otherwise harmless HTML page, causing the browser to read arbitrary memory while processing WebML data. This allows the attacker to obtain potentially sensitive information from the process memory, resulting in an informational disclosure that could expose confidential user data. The weakness is a classic input validation issue (CWE\u201120).", "risk_and_exploitability": "Overall risk is moderate. The flaw is exploitable remotely through a crafted web page without requiring user interaction beyond visiting the page. No authentication or elevated privileges are needed. While the EPSS score is not provided and the vulnerability is not listed in CISA\u2019s KEV catalog, the medium severity rating and the ability to exfiltrate memory indicate a non-negligible threat if an attacker can supply malicious content to the victim\u2019s browser."}}}}, "created": "2026-04-09T08:17:17.479827+00:00", "title": "Unvalidated WebML Input Enables Memory Information Disclosure in Chrome on Windows", "updated": "2026-04-09T08:26:41.128604+00:00", "vendors": ["google", "google$PRODUCT$chrome"]}