CVE-2026-4455
Published: 20 March 2026
Summary
CVE-2026-4455 is a high-severity Heap-based Buffer Overflow (CWE-122) vulnerability in Google Chrome. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 8.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates CVE-2026-4455 by requiring timely flaw remediation through patching Google Chrome to version 146.0.7680.153 or later.
Implements memory protection mechanisms that hinder exploitation of heap buffer overflows in PDFium by preventing unauthorized code execution from corrupted memory.
Enables detection of vulnerable Chrome installations affected by CVE-2026-4455 through regular vulnerability scanning.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Heap buffer overflow in PDFium enables client-side RCE (T1203) when a user opens a crafted malicious PDF (T1204.002) delivered via social engineering.
NVD Description
Heap buffer overflow in PDFium in Google Chrome prior to 146.0.7680.153 allowed a remote attacker to potentially exploit heap corruption via a crafted PDF file. (Chromium security severity: High)
Deeper analysisAI
CVE-2026-4455 is a heap buffer overflow vulnerability (CWE-122) in the PDFium component of Google Chrome prior to version 146.0.7680.153. Published on 2026-03-20, it enables a remote attacker to potentially exploit heap corruption by processing a crafted PDF file. Chromium rates the issue as High severity, with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).
A remote attacker without privileges can exploit this vulnerability by delivering a malicious PDF file, typically via social engineering to induce user interaction such as opening the file in Chrome. The low attack complexity requires no authentication, but relies on user action. Successful exploitation could result in high impacts to confidentiality, integrity, and availability, potentially allowing arbitrary code execution through heap memory corruption.
Google addressed the vulnerability in Chrome stable channel version 146.0.7680.153. Security practitioners should ensure systems are updated to this version or later. Additional details are available in the Chrome Releases announcement at https://chromereleases.googleblog.com/2026/03/stable-channel-update-for-desktop_18.html and the Chromium issue tracker at https://issues.chromium.org/issues/488585504.
Details
- CWE(s)