{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-5888", "assignerOrgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28", "state": "PUBLISHED", "assignerShortName": "Chrome", "dateReserved": "2026-04-08T19:34:39.633Z", "datePublished": "2026-04-08T21:20:52.176Z", "dateUpdated": "2026-04-08T21:20:52.176Z"}, "containers": {"cna": {"affected": [{"vendor": "Google", "product": "Chrome", "versions": [{"version": "147.0.7727.55", "status": "affected", "lessThan": "147.0.7727.55", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "Uninitialized Use in WebCodecs in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium)"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Uninitialized Use", "cweId": "CWE-457"}]}], "providerMetadata": {"orgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28", "shortName": "Chrome", "dateUpdated": "2026-04-08T21:20:52.176Z"}, "references": [{"url": "https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop.html"}, {"url": "https://issues.chromium.org/issues/486506202"}]}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Uninitialized Use in WebCodecs in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium)"}], "id": "CVE-2026-5888", "lastModified": "2026-04-08T22:16:28.667", "metrics": {}, "published": "2026-04-08T22:16:28.667", "references": [{"source": "chrome-cve-admin@google.com", "url": "https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop.html"}, {"source": "chrome-cve-admin@google.com", "url": "https://issues.chromium.org/issues/486506202"}], "sourceIdentifier": "chrome-cve-admin@google.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-457"}], "source": "chrome-cve-admin@google.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,147.0.7727.55)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Chrome", "source": "cna", "vendor": "Google"}, "product": "chrome", "vendor": "google"}], "analysis": {"en": {"generated_at": "2026-04-08T22:41:44.884982+00:00", "value": {"mitigation_remediation": ["Check if your Chrome version is older than 147.0.7727.55 by selecting Chrome > About Google Chrome.", "Update Chrome to the latest stable release, which includes the WebCodecs fix.", "Restart the browser after the update to ensure the new code is in use."], "summary": {"action": "Apply Patch", "impact": "Sensitive Data Exposure"}, "threat_synthesis": {"affected_systems": "Google Chrome browsers running versions before 147.0.7727.55 are affected. The safety warning applies to the stable desktop channel used on Windows, macOS, and Linux. Users running older releases or manually installed build versions that have not applied the fix are at risk.", "description_and_impact": "An uninitialized use bug in the WebCodecs API of Google Chrome allows a remote attacker to read potentially sensitive data from the browser's process memory when a specially crafted HTML page is loaded. The flaw is triggered when WebCodecs code references memory that has not been properly initialized, leading to leakage of information that might include credentials or other private data. Because this vulnerability is triggered by a web page, it can be exploited by any site that an attacker controls or by executing a malicious script in a victim's browser session.", "risk_and_exploitability": "Chromium assigns medium severity to this issue. EPSS data is not available and the vulnerability is not listed in CISA\u2019s KEV catalog, so publicly reported exploit activity is unknown. If an attacker can host a malicious web page, the bug can be triggered remotely without any additional authentication. The overall risk is moderate, driven primarily by the ease of attack via a standard web page and the potential value of the leaked memory contents. Timely patching is advisable to eliminate the exposure."}}}}, "created": "2026-04-09T08:17:04.461958+00:00", "title": "Uninitialized Use in WebCodecs Allows Sensitive Data Exposure", "updated": "2026-04-09T08:26:30.629202+00:00", "vendors": ["google", "google$PRODUCT$chrome"]}