CVE-2026-4454
Published: 20 March 2026
Description
Adversaries may exploit software vulnerabilities in client applications to execute code.
Security Summary
CVE-2026-4454 is a use-after-free vulnerability (CWE-416) in the Network component of Google Chrome prior to version 146.0.7680.153. Published on 2026-03-20, it enables a remote attacker to potentially exploit heap corruption via a crafted HTML page. Chromium security rates it as High severity, with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).
A remote attacker with no privileges can exploit this issue by luring a user to interact with a malicious site hosting the crafted HTML page. Exploitation requires user interaction but could achieve high impacts on confidentiality, integrity, and availability through heap corruption, potentially enabling further attacks like arbitrary code execution.
Google addressed the vulnerability in Chrome 146.0.7680.153, as detailed in the stable channel update for desktop at https://chromereleases.googleblog.com/2026/03/stable-channel-update-for-desktop_18.html and the corresponding Chromium issue at https://issues.chromium.org/issues/488585488. Security practitioners should ensure users update to the patched version promptly.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Use-after-free vulnerability in Chrome's Network component exploited remotely via crafted HTML page on malicious site, luring user interaction for heap corruption and potential code execution, directly mapping to Drive-by Compromise (T1189) and Exploitation for Client Execution (T1203).