How is CVE-2026-5890 exploited?

Network reachability (required): The attacker must reach the victim over the network by serving a crafted HTML page to a browser that can be accessed remotely. Authentication (not-required): No credentials or account are needed; any unauthenticated remote party can serve the malicious page. Victim interaction (required): The victim must visit the attacker-controlled page in a Chrome browser, making this a social-engineering vector where the user must be lured to the URL. Attack complexity (info): Attack complexity is high, meaning the exploit depends on winning a race condition and is not reliably reproducible on demand; timing and environmental factors affect success rate.

What is the impact of CVE-2026-5890?

Reads contents of the Chrome renderer process memory, which may include session tokens, credentials, or other in-memory secrets. Reads in-memory data belonging to the current browsing session, including page content loaded from authenticated contexts. The scope of memory disclosure is bounded to the affected process, but the specific contents depend on what the renderer has processed at the time of exploitation.

Back to search

HIGHCVE-2026-5890Published 2026-04-08Modified 2026-06-02CNA Chrome

CVE-2026-5890: Race in WebCodecs in Google Chrome prior to 147

Race in WebCodecs in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium)

CVSS v3.1: 7.5
Severity: HIGH
Fixed in: 147.0.7727.55
Affected Products: 1

HarborGuard Analysis

Synopsis

A race condition in the WebCodecs component of Google Chrome prior to version 147.0.7727.55 allows a remote attacker to exploit timing-sensitive behavior in the browser's media processing pipeline. Exploitation requires the attacker to serve a crafted HTML page to a victim, who must visit it, and the attack succeeds over a network connection without any authentication. Successful exploitation gives the attacker read access to process memory contents, enabling disclosure of sensitive in-memory data. A patched-image rebuild at version 147.0.7727.55 is available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection of CVE-2026-5890 is available across every HarborGuard environment, with the CVE matched against customer images, including custom-built images containing Chrome or Chromium, within minutes of publication from upstream feeds. Any image whose Chrome version falls below 147.0.7727.55 is flagged automatically in customer registries and CI pipelines.

Available

Triage

HarborGuard scores this CVE at 7.5 HIGH using the CVSS v3.1 vector and weights findings against each customer organization's compliance policy to determine urgency and routing. Alerts are routed to the appropriate team inbox within each customer environment based on policy-configured ownership rules.

Available

Patch

A patched-image rebuild at Chrome version 147.0.7727.55 is available on HarborGuard for environments running an affected version. For customers who opt into auto-remediation, HarborGuard performs a rebuild, runs a regression test suite against the new image, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The attacker must reach the victim over the network by serving a crafted HTML page to a browser that can be accessed remotely.
AuthenticationNot required
No credentials or account are needed; any unauthenticated remote party can serve the malicious page.
Victim interactionRequired
The victim must visit the attacker-controlled page in a Chrome browser, making this a social-engineering vector where the user must be lured to the URL.
Attack complexityDetail
Attack complexity is high, meaning the exploit depends on winning a race condition and is not reliably reproducible on demand; timing and environmental factors affect success rate.

Blast Radius

Reads contents of the Chrome renderer process memory, which may include session tokens, credentials, or other in-memory secrets.
Reads in-memory data belonging to the current browsing session, including page content loaded from authenticated contexts.
The scope of memory disclosure is bounded to the affected process, but the specific contents depend on what the renderer has processed at the time of exploitation.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-5890 is active for any customer image that packages Chrome or Chromium below version 147.0.7727.55, with results appearing within minutes of the image being scanned or the CVE being ingested from the Chrome CNA feed. A patched-image rebuild targeting version 147.0.7727.55 is available for affected images. For customers who opt into auto-remediation, HarborGuard initiates a rebuild, runs regression tests against the updated image, and opens a pull request against affected workloads; for HIGH-severity issues, median time from CVE publication to merged patch PR is around 90 minutes in environments with auto-remediation enabled. Where compliance policy does not permit auto-remediation, the finding is routed to the configured team inbox with full CVSS context and fix-version details for manual action.

See how HarborGuard automates this

Fix available

147.0.7727.55

Affected packages

Google / Chrome
< 147.0.7727.55 (from 147.0.7727.55)

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available