CVE-2026-4680
Published: 24 March 2026
Description
Adversaries may exploit software vulnerabilities in client applications to execute code.
Security Summary
CVE-2026-4680 is a use-after-free vulnerability (CWE-416) in the FedCM component of Google Chrome prior to version 146.0.7680.165. Published on 2026-03-24, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) and is rated High severity by the Chromium security team.
A remote attacker can exploit this issue via a crafted HTML page, leading to arbitrary code execution inside the browser's sandbox. Exploitation requires user interaction, such as visiting the malicious page, but no privileges or special access are needed.
Google's Chrome Releases blog announces a stable channel update for desktop that addresses this vulnerability (https://chromereleases.googleblog.com/2026/03/stable-channel-update-for-desktop_23.html). Additional details are available in the Chromium issue tracker (https://issues.chromium.org/issues/491869946). Security practitioners should ensure Chrome is updated to 146.0.7680.165 or later.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The vulnerability is exploited via a crafted HTML page in Google Chrome, enabling drive-by compromise (T1189) and exploitation for client execution (T1203) through arbitrary code execution in the browser sandbox upon user visit.