CVE-2026-4447
Published: 20 March 2026
Summary
CVE-2026-4447 is a high-severity an unspecified weakness vulnerability in Google Chrome. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Drive-by Compromise (T1189); ranked at the 10.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Mandates timely identification, reporting, and correction of software flaws like the V8 implementation vulnerability in Chrome, preventing arbitrary code execution via crafted HTML pages.
Requires dissemination of security advisories such as Chrome stable channel updates, enabling prompt patching of CVE-2026-4447.
Vulnerability scanning identifies systems running vulnerable Chrome versions affected by CVE-2026-4447 for remediation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE enables drive-by browser exploitation via crafted HTML/JS page leading to sandboxed RCE (T1189); directly matches client application vulnerability exploitation for code execution (T1203); requires user interaction via malicious link (T1204.001).
NVD Description
Inappropriate implementation in V8 in Google Chrome prior to 146.0.7680.153 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Deeper analysisAI
CVE-2026-4447 is an inappropriate implementation vulnerability in the V8 JavaScript and WebAssembly engine within Google Chrome versions prior to 146.0.7680.153. It enables a remote attacker to execute arbitrary code inside the browser's sandbox via a crafted HTML page. The Chromium security team rated it as High severity, with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).
A remote attacker can exploit this vulnerability by tricking a user into visiting a malicious website or interacting with a crafted HTML page, requiring no privileges or special access. Successful exploitation allows arbitrary code execution confined to the sandboxed environment, potentially leading to high-impact compromise of confidentiality, integrity, and availability within the browser context.
Mitigation involves updating Google Chrome to version 146.0.7680.153 or later, as detailed in the stable channel update advisory at https://chromereleases.googleblog.com/2026/03/stable-channel-update-for-desktop_18.html and the associated Chromium issue tracker at https://issues.chromium.org/issues/486657483.
Details
- CWE(s)