Cyber Resilience

CVE-2026-4455

High

Published: 20 March 2026

Published
20 March 2026
Modified
20 March 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0025 16.1th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-4455 is a high-severity Heap-based Buffer Overflow (CWE-122) vulnerability in Google Chrome. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 16.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).

Deeper analysis

CVE-2026-4455 is a heap buffer overflow vulnerability (CWE-122) in the PDFium component of Google Chrome prior to version 146.0.7680.153. Published on 2026-03-20, it enables a remote attacker to potentially exploit heap corruption by processing a crafted PDF file. Chromium rates the issue as High severity, with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A remote attacker without privileges can exploit this vulnerability by delivering a malicious PDF file, typically via social engineering to induce user interaction such as opening the file in Chrome. The low attack complexity requires no authentication, but relies on user action. Successful exploitation could result in high impacts to confidentiality, integrity, and availability, potentially allowing arbitrary code execution through heap memory corruption.

Google addressed the vulnerability in Chrome stable channel version 146.0.7680.153. Security practitioners should ensure systems are updated to this version or later. Additional details are available in the Chrome Releases announcement at https://chromereleases.googleblog.com/2026/03/stable-channel-update-for-desktop_18.html and the Chromium issue tracker at https://issues.chromium.org/issues/488585504.

EU & UK References

Vulnerability details

Heap buffer overflow in PDFium in Google Chrome prior to 146.0.7680.153 allowed a remote attacker to potentially exploit heap corruption via a crafted PDF file. (Chromium security severity: High)

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
T1204.002 Malicious File Execution
An adversary may rely upon a user opening a malicious file in order to gain execution.
Why these techniques?

Heap buffer overflow in PDFium enables client-side RCE (T1203) when a user opens a crafted malicious PDF (T1204.002) delivered via social engineering.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-6306Same product: Apple Macos
CVE-2026-5272Same product: Apple Macos
CVE-2026-6305Same product: Apple Macos
CVE-2026-7339Same product: Apple Macos
CVE-2026-8529Same product: Apple Macos
CVE-2026-8509Same product: Apple Macos
CVE-2025-8879Same product: Apple Macos
CVE-2026-4463Same product: Apple Macos
CVE-2026-9939Same product: Apple Macos
CVE-2026-3915Same product: Apple Macos

Affected Assets

google
chrome
≤ 146.0.7680.153

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates CVE-2026-4455 by requiring timely flaw remediation through patching Google Chrome to version 146.0.7680.153 or later.

prevent

Implements memory protection mechanisms that hinder exploitation of heap buffer overflows in PDFium by preventing unauthorized code execution from corrupted memory.

detect

Enables detection of vulnerable Chrome installations affected by CVE-2026-4455 through regular vulnerability scanning.

References