CVE-2026-4448
Published: 20 March 2026
Summary
CVE-2026-4448 is a high-severity Heap-based Buffer Overflow (CWE-122) vulnerability in Google Chrome. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Drive-by Compromise (T1189); ranked at the 9.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-2 mandates timely identification, reporting, and correction of software flaws like the heap buffer overflow in Chrome's ANGLE, preventing exploitation through patching to version 146.0.7680.153.
SI-16 implements controls such as address space layout randomization and data execution prevention to minimize the impact of heap corruption exploits from crafted HTML pages.
SI-10 requires validation of information inputs like crafted HTML to prevent buffer overflows in components such as ANGLE by enforcing bounds checking and sanitization.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Heap buffer overflow in Chrome ANGLE enables remote code execution via crafted HTML page requiring user visit, directly mapping to Drive-by Compromise and client-side exploitation.
NVD Description
Heap buffer overflow in ANGLE in Google Chrome prior to 146.0.7680.153 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
Deeper analysisAI
CVE-2026-4448 is a heap buffer overflow vulnerability, classified under CWE-122, affecting the ANGLE graphics component in Google Chrome prior to version 146.0.7680.153. Published on 2026-03-20, it enables a remote attacker to potentially exploit heap corruption by processing a crafted HTML page. Chromium security rates it as High severity, with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).
The vulnerability can be exploited by a remote attacker with no required privileges over a network accessible vector, though it requires user interaction such as visiting a malicious webpage. Successful exploitation leads to heap corruption, potentially granting high-impact consequences including arbitrary code execution, data tampering, or denial of service affecting confidentiality, integrity, and availability.
Google Chrome version 146.0.7680.153 addresses this issue. Security practitioners should consult the Chrome Releases stable channel update at https://chromereleases.googleblog.com/2026/03/stable-channel-update-for-desktop_18.html and the associated Chromium issue at https://issues.chromium.org/issues/486972661 for patch details and verification steps.
Details
- CWE(s)