Cyber Posture

CVE-2026-4443

High

Published: 20 March 2026

Published
20 March 2026
Modified
20 March 2026
KEV Added
Patch
CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0003 7.4th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-4443 is a high-severity Heap-based Buffer Overflow (CWE-122) vulnerability in Google Chrome. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Drive-by Compromise (T1189); ranked at the 7.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-39 (Process Isolation) and SI-16 (Memory Protection).

Threat & Defense at a Glance

What attackers do: exploitation maps to Drive-by Compromise (T1189) and 2 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Mandates timely application of vendor patches to remediate the specific heap buffer overflow vulnerability in Chrome's WebAudio component.

SI-16 Memory Protection good match
prevent

Implements memory protection mechanisms such as ASLR and DEP that directly counter heap buffer overflows attempting unauthorized code execution.

SC-39 Process Isolation good match
prevent

Enforces process isolation via sandboxing to confine arbitrary code execution to the renderer process, limiting potential system-wide impact.

MITRE ATT&CK Enterprise TechniquesAI

T1189 Drive-by Compromise Initial Access
Adversaries may gain access to a system through a user visiting a website over the normal course of browsing.
attack.mitre.org →
T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
attack.mitre.org →
T1204.001 Malicious Link Execution
An adversary may rely upon a user clicking a malicious link in order to gain execution.
attack.mitre.org →
Why these techniques?

Heap buffer overflow enables RCE via crafted HTML page (drive-by or malicious link), mapping directly to browser/client exploitation techniques.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Heap buffer overflow in WebAudio in Google Chrome prior to 146.0.7680.153 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

Deeper analysisAI

CVE-2026-4443 is a heap buffer overflow vulnerability (CWE-122) in the WebAudio component of Google Chrome versions prior to 146.0.7680.153. It enables a remote attacker to execute arbitrary code within the browser's sandbox by tricking a user into loading a crafted HTML page. The Chromium security team rated it as High severity, with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A remote attacker without privileges can exploit this vulnerability over the network with low complexity, but it requires user interaction, such as visiting a malicious website. Successful exploitation allows arbitrary code execution confined to the sandboxed renderer process, potentially leading to high confidentiality, integrity, and availability impacts within that context.

Mitigation involves updating Google Chrome to version 146.0.7680.153 or later, as detailed in the stable channel update for desktop announced on the Chrome Releases blog and tracked in Chromium issue 485292589.

Details

CWE(s)
CWE-122

Affected Products

google
chrome
≤ 146.0.7680.153

CVEs Like This One

CVE-2026-4442Same product: Apple Macos
CVE-2026-3915Same product: Apple Macos
CVE-2026-4448Same product: Apple Macos
CVE-2026-5275Same product: Apple Macos
CVE-2026-5858Same product: Apple Macos
CVE-2026-4463Same product: Apple Macos
CVE-2025-10502Same product: Apple Macos
CVE-2026-5272Same product: Apple Macos
CVE-2025-8879Same product: Apple Macos
CVE-2026-7339Same product: Apple Macos

References