CVE-2026-5907
Published: 08 April 2026
Summary
CVE-2026-5907 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Google Chrome. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 26.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses the insufficient data validation in Chrome's Media component that allows out-of-bounds memory reads from crafted video files.
Requires timely remediation of the specific flaw in Chrome versions prior to 147.0.7727.55 through patching to eliminate the vulnerability.
Implements memory safeguards like address space layout randomization to protect against out-of-bounds memory reads exploited via malformed video files.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability enables client-side exploitation via malicious video file or phishing link requiring user interaction to trigger OOB read in Chrome media component.
NVD Description
Insufficient data validation in Media in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to perform an out of bounds memory read via a crafted video file. (Chromium security severity: Low)
Deeper analysisAI
CVE-2026-5907 is an insufficient data validation vulnerability in the Media component of Google Chrome prior to version 147.0.7727.55. It enables a remote attacker to trigger an out-of-bounds memory read through a specially crafted video file. The issue corresponds to CWE-125 (Out-of-bounds Read) and has a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H), though Chromium rates its security severity as Low.
A remote attacker can exploit this vulnerability by convincing a user to open a malicious video file over the network, such as via a phishing link or malicious website. No special privileges are required, but user interaction is necessary to process the file. Successful exploitation could result in high-impact confidentiality loss through memory disclosure and high-impact availability disruption, such as application crashes, without affecting integrity.
Google's Chrome Releases blog announces the patch in the stable channel update for desktop, available in version 147.0.7727.55 and later. Additional details are tracked in the Chromium issue at https://issues.chromium.org/issues/484665123, with the full advisory at https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop.html. Security practitioners should prioritize updating affected Chrome installations to mitigate the risk.
Details
- CWE(s)