CVE-2026-4445
Published: 20 March 2026
Description
Adversaries may exploit software vulnerabilities in client applications to execute code.
Security Summary
CVE-2026-4445 is a use-after-free vulnerability (CWE-416) in the WebRTC component of Google Chrome prior to version 146.0.7680.153. Published on 2026-03-20, it enables a remote attacker to potentially exploit heap corruption via a crafted HTML page. Chromium security rates it as High severity, with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).
A remote attacker requires no privileges and can exploit this over the network with low attack complexity, though user interaction is needed, such as visiting a malicious webpage. Successful exploitation could achieve high impacts on confidentiality, integrity, and availability through heap corruption.
Mitigation is available in Google Chrome stable channel update to version 146.0.7680.153 and later, as announced in the Chrome Releases blog at https://chromereleases.googleblog.com/2026/03/stable-channel-update-for-desktop_18.html. Further details are provided in the Chromium issue tracker at https://issues.chromium.org/issues/486421953.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Use-after-free in Chrome's WebRTC enables heap corruption via crafted HTML page, directly facilitating drive-by compromise (T1189) and exploitation for client execution (T1203).