Cyber Resilience

CVE-2026-4448

High

Published: 20 March 2026

Published
20 March 2026
Modified
20 March 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0027 18.6th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-4448 is a high-severity Heap-based Buffer Overflow (CWE-122) vulnerability in Google Chrome. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Drive-by Compromise (T1189); ranked at the 18.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-4448 is a heap buffer overflow vulnerability, classified under CWE-122, affecting the ANGLE graphics component in Google Chrome prior to version 146.0.7680.153. Published on 2026-03-20, it enables a remote attacker to potentially exploit heap corruption by processing a crafted HTML page. Chromium security rates it as High severity, with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

The vulnerability can be exploited by a remote attacker with no required privileges over a network accessible vector, though it requires user interaction such as visiting a malicious webpage. Successful exploitation leads to heap corruption, potentially granting high-impact consequences including arbitrary code execution, data tampering, or denial of service affecting confidentiality, integrity, and availability.

Google Chrome version 146.0.7680.153 addresses this issue. Security practitioners should consult the Chrome Releases stable channel update at https://chromereleases.googleblog.com/2026/03/stable-channel-update-for-desktop_18.html and the associated Chromium issue at https://issues.chromium.org/issues/486972661 for patch details and verification steps.

EU & UK References

Vulnerability details

Heap buffer overflow in ANGLE in Google Chrome prior to 146.0.7680.153 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1189 Drive-by Compromise Initial Access
Adversaries may gain access to a system through a user visiting a website over the normal course of browsing.
T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
Why these techniques?

Heap buffer overflow in Chrome ANGLE enables remote code execution via crafted HTML page requiring user visit, directly mapping to Drive-by Compromise and client-side exploitation.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-4463Same product: Apple Macos
CVE-2026-9939Same product: Apple Macos
CVE-2026-3915Same product: Apple Macos
CVE-2026-9119Same product: Apple Macos
CVE-2026-9940Same product: Apple Macos
CVE-2026-5275Same product: Apple Macos
CVE-2026-5858Same product: Apple Macos
CVE-2025-10502Same product: Apple Macos
CVE-2026-4442Same product: Apple Macos
CVE-2026-4443Same product: Apple Macos

Affected Assets

google
chrome
≤ 146.0.7680.153

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-2 mandates timely identification, reporting, and correction of software flaws like the heap buffer overflow in Chrome's ANGLE, preventing exploitation through patching to version 146.0.7680.153.

prevent

SI-16 implements controls such as address space layout randomization and data execution prevention to minimize the impact of heap corruption exploits from crafted HTML pages.

prevent

SI-10 requires validation of information inputs like crafted HTML to prevent buffer overflows in components such as ANGLE by enforcing bounds checking and sanitization.

References