Cyber Resilience

CVE-2026-4447

HighUpdated

Published: 20 March 2026

Published
20 March 2026
Modified
10 June 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0035 27.2th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-4447 is a high-severity Protection Mechanism Failure (CWE-693) vulnerability in Google Chrome. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Drive-by Compromise (T1189); ranked at the 27.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).

Deeper analysis

CVE-2026-4447 is an inappropriate implementation vulnerability in the V8 JavaScript and WebAssembly engine within Google Chrome versions prior to 146.0.7680.153. It enables a remote attacker to execute arbitrary code inside the browser's sandbox via a crafted HTML page. The Chromium security team rated it as High severity, with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A remote attacker can exploit this vulnerability by tricking a user into visiting a malicious website or interacting with a crafted HTML page, requiring no privileges or special access. Successful exploitation allows arbitrary code execution confined to the sandboxed environment, potentially leading to high-impact compromise of confidentiality, integrity, and availability within the browser context.

Mitigation involves updating Google Chrome to version 146.0.7680.153 or later, as detailed in the stable channel update advisory at https://chromereleases.googleblog.com/2026/03/stable-channel-update-for-desktop_18.html and the associated Chromium issue tracker at https://issues.chromium.org/issues/486657483.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Inappropriate implementation in V8 in Google Chrome prior to 146.0.7680.153 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1189 Drive-by Compromise Initial Access
Adversaries may gain access to a system through a user visiting a website over the normal course of browsing.
T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
T1204.001 Malicious Link Execution
An adversary may rely upon a user clicking a malicious link in order to gain execution.
Why these techniques?

CVE enables drive-by browser exploitation via crafted HTML/JS page leading to sandboxed RCE (T1189); directly matches client application vulnerability exploitation for code execution (T1203); requires user interaction via malicious link (T1204.001).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-8018Same product: Apple Macos
CVE-2026-3543Same product: Apple Macos
CVE-2025-8882Same product: Apple Macos
CVE-2025-10892Same product: Apple Macos
CVE-2026-5286Same product: Apple Macos
CVE-2026-4442Same product: Apple Macos
CVE-2026-9933Same product: Apple Macos
CVE-2026-4443Same product: Apple Macos
CVE-2026-7963Same product: Apple Macos
CVE-2026-6301Same product: Apple Macos

Affected Assets

google
chrome
≤ 146.0.7680.153

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Mandates timely identification, reporting, and correction of software flaws like the V8 implementation vulnerability in Chrome, preventing arbitrary code execution via crafted HTML pages.

prevent

Requires dissemination of security advisories such as Chrome stable channel updates, enabling prompt patching of CVE-2026-4447.

detect

Vulnerability scanning identifies systems running vulnerable Chrome versions affected by CVE-2026-4447 for remediation.

References