CVE-2026-5280EXPLOITEDPATCHED

google · chrome

CVE-2026-5280: Use after free in WebCodecs in Google Chrome prior to 146.0.7680.178 allowed a remote attacker to execute arbitrary code

Description

Use after free in WebCodecs in Google Chrome prior to 146.0.7680.178 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

Affected Products

Vendor	Product	Versions
google	chrome	146.0.7680.178

References

Related News (2 articles)

Tier C

VulDB11h ago

CVE-2026-5280 | Google Chrome up to 146.0.7680.165 WebCodecs use after free (ID 491515)

→ No new info (linked only)

Tier B

CERT-FR17h ago

Multiples vulnérabilités dans Google Chrome (01 avril 2026)

→ No new info (linked only)

CVSS 3.16.3 MEDIUM

VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L

CISA KEV❌ No

Actively exploited✅ Yes

Patch available

146.0.7680.178

CWECWE-416

PublishedApr 1, 2026

Last enriched10h agov2

Trending Score56

Source articles2

Independent2

Info Completeness8/14

Missing: cvss, epss, kev, exploit, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

HIGHCVE-2026-3910EXPKEV

Inappropriate implementation in V8 in Google Chrome prior to 146.0.7680.75 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Hi

Trending: 111

HIGHCVE-2026-3909EXPKEV

Out of bounds write in Skia in Google Chrome prior to 146.0.7680.75 allowed a remote attacker to perform out of bounds memory access via a crafted HTML page. (Chromium security severity: High)

Trending: 111

HIGHCVE-2026-2441EXPKEV

Use after free in CSS in Google Chrome prior to 145.0.7632.75 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

Trending: 108

MEDIUMCVE-2026-5273EXP

CVE-2026-5273: Use after free in CSS in Google Chrome prior to 146.0.7680.178 allowed a remote attacker to execute arbitrary code insid

Trending: 56

HIGHCVE-2026-4676EXP

Use after free in Dawn in Google Chrome prior to 146.0.7680.165 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

Trending: 49

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Vulnerability Timeline

CVE Published

Apr 1, 2026

Discovered by ZDM

Apr 1, 2026

Updated: description, severity, affectedVersions, activelyExploited

Apr 1, 2026

Actively Exploited

Apr 1, 2026

Patch Available

Apr 1, 2026

Version History

Last enriched 10h ago

v2Tier C10h ago

Updated severity to CRITICAL, added affected version 146.0.7680.165, and changed exploit availability status.

descriptionseverityaffectedVersionsactivelyExploited

via VulDB

v111h ago

Initial creation