Cyber Posture

CVE-2026-4456

High

Published: 20 March 2026

Published
20 March 2026
Modified
20 March 2026
KEV Added
Patch
CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0004 12.3th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

Security Summary

CVE-2026-4456 is a use-after-free vulnerability (CWE-416) in the Digital Credentials API within Google Chrome prior to version 146.0.7680.153. This flaw, published on 2026-03-20, has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) and is rated High severity by Chromium security standards.

The vulnerability enables a remote attacker who has already compromised the renderer process to potentially escape the sandbox via a crafted HTML page. Exploitation requires user interaction, such as visiting a malicious site, and assumes prior renderer compromise, leading to high impacts on confidentiality, integrity, and availability.

Mitigation involves updating to Google Chrome 146.0.7680.153 or later, as detailed in the Chrome Releases stable channel update blog at https://chromereleases.googleblog.com/2026/03/stable-channel-update-for-desktop_18.html and Chromium issue tracker at https://issues.chromium.org/issues/488617440.

Details

CWE(s)
CWE-416

Affected Products

google
chrome
≤ 146.0.7680.153

MITRE ATT&CK Enterprise Techniques

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
attack.mitre.org →
Why these techniques?

Use-after-free vulnerability enables sandbox escape after renderer compromise, directly facilitating exploitation for privilege escalation.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References