Cyber Resilience

CVE-2026-4449

High

Published: 20 March 2026

Published
20 March 2026
Modified
20 March 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0025 16.4th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-4449 is a high-severity Use After Free (CWE-416) vulnerability in Google Chrome. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Drive-by Compromise (T1189); ranked at the 16.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).

Deeper analysis

CVE-2026-4449 is a use-after-free vulnerability (CWE-416) in the Blink rendering engine of Google Chrome prior to version 146.0.7680.153. Published on 2026-03-20, it enables a remote attacker to potentially exploit heap corruption via a crafted HTML page. Chromium security rates it as High severity with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

The vulnerability can be exploited by a remote attacker with no privileges required, over the network, and with low attack complexity, though it requires user interaction such as visiting a malicious webpage. Successful exploitation could lead to high-impact compromise of confidentiality, integrity, and availability through heap corruption.

Advisories indicate mitigation via patching, as outlined in the Chrome stable channel update at https://chromereleases.googleblog.com/2026/03/stable-channel-update-for-desktop_18.html and the associated Chromium issue at https://issues.chromium.org/issues/487117772. Users should update to Google Chrome 146.0.7680.153 or later to address the issue.

EU & UK References

Vulnerability details

Use after free in Blink in Google Chrome prior to 146.0.7680.153 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1189 Drive-by Compromise Initial Access
Adversaries may gain access to a system through a user visiting a website over the normal course of browsing.
T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
Why these techniques?

CVE-2026-4449 is a use-after-free vulnerability in Chrome's Blink engine exploitable via crafted HTML page, enabling drive-by compromise (T1189) and exploitation for client execution (T1203).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-7357Same product: Apple Macos
CVE-2026-7342Same product: Apple Macos
CVE-2026-4680Same product: Apple Macos
CVE-2026-7355Same product: Apple Macos
CVE-2026-5284Same product: Apple Macos
CVE-2026-9992Same product: Apple Macos
CVE-2026-9118Same product: Apple Macos
CVE-2026-7336Same product: Apple Macos
CVE-2026-7974Same product: Apple Macos
CVE-2026-7352Same product: Apple Macos

Affected Assets

google
chrome
≤ 146.0.7680.153

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Mandates timely identification, reporting, and remediation of flaws like the use-after-free vulnerability in Chrome's Blink engine via patching to version 146.0.7680.153 or later.

detect

Requires monitoring and scanning for vulnerabilities such as CVE-2026-4449 to identify systems running vulnerable Chrome versions prior to exploitation.

prevent

Implements memory safeguards to protect against unauthorized code execution from heap corruption exploits triggered by the Blink use-after-free vulnerability.

References