CVE-2026-4449
Published: 20 March 2026
Summary
CVE-2026-4449 is a high-severity Use After Free (CWE-416) vulnerability in Google Chrome. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Drive-by Compromise (T1189); ranked at the 16.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).
Deeper analysis
CVE-2026-4449 is a use-after-free vulnerability (CWE-416) in the Blink rendering engine of Google Chrome prior to version 146.0.7680.153. Published on 2026-03-20, it enables a remote attacker to potentially exploit heap corruption via a crafted HTML page. Chromium security rates it as High severity with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).
The vulnerability can be exploited by a remote attacker with no privileges required, over the network, and with low attack complexity, though it requires user interaction such as visiting a malicious webpage. Successful exploitation could lead to high-impact compromise of confidentiality, integrity, and availability through heap corruption.
Advisories indicate mitigation via patching, as outlined in the Chrome stable channel update at https://chromereleases.googleblog.com/2026/03/stable-channel-update-for-desktop_18.html and the associated Chromium issue at https://issues.chromium.org/issues/487117772. Users should update to Google Chrome 146.0.7680.153 or later to address the issue.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-13465
Vulnerability details
Use after free in Blink in Google Chrome prior to 146.0.7680.153 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE-2026-4449 is a use-after-free vulnerability in Chrome's Blink engine exploitable via crafted HTML page, enabling drive-by compromise (T1189) and exploitation for client execution (T1203).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Mandates timely identification, reporting, and remediation of flaws like the use-after-free vulnerability in Chrome's Blink engine via patching to version 146.0.7680.153 or later.
Requires monitoring and scanning for vulnerabilities such as CVE-2026-4449 to identify systems running vulnerable Chrome versions prior to exploitation.
Implements memory safeguards to protect against unauthorized code execution from heap corruption exploits triggered by the Blink use-after-free vulnerability.