CVE-2026-4449
Published: 20 March 2026
Description
Adversaries may exploit software vulnerabilities in client applications to execute code.
Security Summary
CVE-2026-4449 is a use-after-free vulnerability (CWE-416) in the Blink rendering engine of Google Chrome prior to version 146.0.7680.153. Published on 2026-03-20, it enables a remote attacker to potentially exploit heap corruption via a crafted HTML page. Chromium security rates it as High severity with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).
The vulnerability can be exploited by a remote attacker with no privileges required, over the network, and with low attack complexity, though it requires user interaction such as visiting a malicious webpage. Successful exploitation could lead to high-impact compromise of confidentiality, integrity, and availability through heap corruption.
Advisories indicate mitigation via patching, as outlined in the Chrome stable channel update at https://chromereleases.googleblog.com/2026/03/stable-channel-update-for-desktop_18.html and the associated Chromium issue at https://issues.chromium.org/issues/487117772. Users should update to Google Chrome 146.0.7680.153 or later to address the issue.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
CVE-2026-4449 is a use-after-free vulnerability in Chrome's Blink engine exploitable via crafted HTML page, enabling drive-by compromise (T1189) and exploitation for client execution (T1203).