CVE-2026-4442
Published: 20 March 2026
Summary
CVE-2026-4442 is a high-severity Heap-based Buffer Overflow (CWE-122) vulnerability in Google Chrome. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Drive-by Compromise (T1189); ranked at the 8.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SC-39 (Process Isolation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the heap buffer overflow by requiring timely identification, reporting, and patching of the specific vulnerability in Chrome's CSS component to version 146.0.7680.153 or later.
Implements memory protection mechanisms such as ASLR and DEP that hinder successful exploitation of heap corruption even if the unpatched vulnerability exists.
Enforces process isolation through browser sandboxing, limiting the scope of compromise from CSS heap overflow exploitation to the renderer process.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Heap buffer overflow RCE in Chrome via crafted HTML page on malicious site directly enables drive-by compromise (T1189) and exploitation for client execution (T1203); attack requires user to visit malicious link (T1204.001).
NVD Description
Heap buffer overflow in CSS in Google Chrome prior to 146.0.7680.153 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
Deeper analysisAI
CVE-2026-4442 is a heap buffer overflow vulnerability (CWE-122) in the CSS component of Google Chrome versions prior to 146.0.7680.153. It allows a remote attacker to potentially exploit heap corruption through a crafted HTML page. The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) and is rated High severity by Chromium security.
A remote attacker can exploit this vulnerability by tricking a user into visiting a malicious website containing a crafted HTML page, as it requires user interaction but no special privileges. Successful exploitation could lead to heap corruption, enabling high-impact consequences such as arbitrary code execution, data theft, or system compromise with full confidentiality, integrity, and availability effects on the targeted browser instance.
Mitigation is provided in Google Chrome version 146.0.7680.153 and later, as detailed in the stable channel update on the Chrome Releases blog (https://chromereleases.googleblog.com/2026/03/stable-channel-update-for-desktop_18.html) and the associated Chromium issue tracker (https://issues.chromium.org/issues/484751092). Security practitioners should ensure users update to the patched version promptly.
Details
- CWE(s)