CRITICAL✓ PATCH🇵🇱 Wersja polska

CVE-2026-5902

CVSS 9.8v3.1pub. 2026-04-08upd. 2026-04-13

Race in Media in Google Chrome on Android prior to 147.0.7727.55 allowed a remote attacker who had compromised the renderer process to corrupt media stream metadata via a crafted HTML page. (Chromium security severity: Low)

🤖 AI Analysis
How it works

An attacker who has previously compromised the renderer process in Google Chrome on Android can exploit a race condition in the Media component handling. Through a crafted HTML page, the attacker triggers parallel operations on media stream metadata in a manner leading to their corruption. The bug results from lack of appropriate synchronization of access to shared resources (CWE-362).

Impact

An attacker can cause corruption of media stream metadata, which potentially could result in violation of data integrity and confidentiality as well as destabilization of browser operation. In combination with prior compromise of the renderer process, further attack escalation is possible.

Mitigation & patch

Google Chrome on Android should be updated to version 147.0.7727.55 or newer. The update is available through the official Google Chrome stable channel.

Who is affected

Google Chrome on Android in versions earlier than 147.0.7727.55

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Apple macOS

    OS
    Apple
    wszystkie wersje
  • Google Chrome

    APP
    Google
    < 147.0.7727.55
  • Linux Kernel

    OS
    Linux
    wszystkie wersje
  • Microsoft Windows

    OS
    Microsoft
    wszystkie wersje
🟢
PATCH AVAILABLE
Vendor update available. Deploy in standard maintenance cycle.
CWE
References

Related vulnerabilities

CVE-2026-8398CRITICAL9.3⚠ KEVPL ✓ten sam produkt

Atak na łańcuch dostaw DAEMON Tools Lite — trojanizacja instalatorów

CVE-2025-10585CRITICAL9.8⚠ KEVPL ✓ten sam produkt

Type confusion w V8 (Google Chrome) — zdalne uszkodzenie sterty

CVE-2025-43300CRITICAL10.0⚠ KEVPL ✓ten sam produkt

Apple iOS/iPadOS/macOS — out-of-bounds write przy przetwarzaniu obrazu

CVE-2025-34028CRITICAL9.3⚠ KEVPL ✓ten sam produkt

Commvault Command Center – nieuwierzytelniony RCE przez path traversal w ZIP

CVE-2025-31201CRITICAL9.8⚠ KEVPL ✓ten sam produkt

Apple: Obejście Pointer Authentication w iOS, macOS i innych platformach