CVE-2026-4452
Published: 20 March 2026
Summary
CVE-2026-4452 is a high-severity External Control of Assumed-Immutable Web Parameter (CWE-472) vulnerability in Google Chrome. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Drive-by Compromise (T1189); ranked at the 8.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SC-39 (Process Isolation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the integer overflow vulnerability in Chrome's ANGLE component by requiring timely identification, reporting, and patching to versions 146.0.7680.153 or later.
Mitigates heap corruption exploitation from the integer overflow via memory protection mechanisms like ASLR, DEP, and stack guards.
Contains potential arbitrary code execution from the ANGLE heap corruption within isolated renderer processes using sandboxing.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Integer overflow in Chrome/ANGLE enables RCE via crafted HTML page visited by user, directly mapping to drive-by compromise and client-side exploitation for code execution.
NVD Description
Integer overflow in ANGLE in Google Chrome on Windows prior to 146.0.7680.153 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
Deeper analysisAI
CVE-2026-4452 is an integer overflow vulnerability in the ANGLE graphics component of Google Chrome on Windows versions prior to 146.0.7680.153. Published on 2026-03-20, the flaw enables potential heap corruption when a user loads a crafted HTML page. It maps to CWE-190 (Integer Overflow or Wraparound) and CWE-472 (External Control of Critical State Data), with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), rated as High severity by Chromium.
A remote attacker without privileges can exploit this issue by luring a target into interacting with a malicious HTML page, such as by visiting a compromised site. Exploitation could achieve high-impact corruption of the heap, potentially leading to arbitrary code execution, data theft, system modification, or denial of service.
Google's stable channel update addresses the vulnerability in Chrome 146.0.7680.153 and later versions, as documented in the Chrome Releases blog at https://chromereleases.googleblog.com/2026/03/stable-channel-update-for-desktop_18.html and the Chromium issue tracker at https://issues.chromium.org/issues/487977696. Security practitioners should prioritize patching affected Windows Chrome installations.
Details
- CWE(s)