CVE-2026-4676
Published: 24 March 2026
Description
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Security Summary
CVE-2026-4676 is a use-after-free vulnerability (CWE-416) in Dawn, the WebGPU implementation within Chromium, affecting Google Chrome versions prior to 146.0.7680.165. Published on 2026-03-24, it carries a Chromium security severity rating of High and a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).
A remote attacker can exploit this flaw by luring a user to interact with a crafted HTML page, potentially achieving a sandbox escape. The attack requires user interaction but no privileges, with low complexity over the network, enabling high confidentiality, integrity, and availability impacts.
Google mitigated the issue via a stable channel update for desktop Chrome, as announced in the Chrome Releases blog (https://chromereleases.googleblog.com/2026/03/stable-channel-update-for-desktop_23.html). Additional details are available in the Chromium issue tracker (https://issues.chromium.org/issues/488613135). Security practitioners should ensure systems update to version 146.0.7680.165 or later.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Use-after-free vulnerability in Chromium WebGPU exploited via crafted HTML page with user interaction enables client-side exploitation for code execution (T1203) and sandbox escape for privilege escalation (T1068).