CVE-2026-4451
Published: 20 March 2026
Description
Adversaries may exploit vulnerabilities to evade detection by hiding activity, suppressing logging, or operating within trusted or unmonitored components.
Security Summary
CVE-2026-4451 involves insufficient validation of untrusted input in the Navigation component of Google Chrome prior to version 146.0.7680.153. This vulnerability, mapped to CWE-20, allows a remote attacker who has compromised the renderer process to potentially escape the sandbox via a crafted HTML page. Published on 2026-03-20, it has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) and is rated High severity by Chromium security.
Exploitation requires a remote attacker to first compromise the Chrome renderer process, after which they can leverage a crafted HTML page to escape the sandbox. The attack is network-accessible with low complexity and no privileges needed, but user interaction is required. Successful exploitation enables high-impact confidentiality, integrity, and availability violations within an unchanged scope.
Mitigation is provided by updating to Google Chrome 146.0.7680.153 or later, as announced in the stable channel update at https://chromereleases.googleblog.com/2026/03/stable-channel-update-for-desktop_18.html. Additional details are documented in the Chromium issue tracker at https://issues.chromium.org/issues/487768779.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The vulnerability enables exploitation of a client application (Chrome renderer) via crafted HTML for sandbox escape, facilitating client execution (T1203), privilege escalation (T1068), and defense evasion (T1211).