CVE-2026-4456

High

Published: 20 March 2026

Published

20 March 2026

Modified

20 March 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Score 0.0004 12.4th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-4456 is a high-severity Use After Free (CWE-416) vulnerability in Google Chrome. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 12.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-39 (Process Isolation) and SI-16 (Memory Protection).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Privilege Escalation (T1068). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mandates timely remediation of flaws like this use-after-free vulnerability through patching to Chrome 146.0.7680.153 or later.

SI-16 Memory Protection good match

prevent

Implements memory protection mechanisms such as ASLR and DEP that directly mitigate use-after-free exploits in the renderer process.

SC-39 Process Isolation good match

prevent

Enforces process isolation for the renderer sandbox, preventing escape to higher-privilege contexts even after renderer compromise.

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

Why these techniques?

Use-after-free vulnerability enables sandbox escape after renderer compromise, directly facilitating exploitation for privilege escalation.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

Use after free in Digital Credentials API in Google Chrome prior to 146.0.7680.153 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

Deeper analysisAI

CVE-2026-4456 is a use-after-free vulnerability (CWE-416) in the Digital Credentials API within Google Chrome prior to version 146.0.7680.153. This flaw, published on 2026-03-20, has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) and is rated High severity by Chromium security standards.

The vulnerability enables a remote attacker who has already compromised the renderer process to potentially escape the sandbox via a crafted HTML page. Exploitation requires user interaction, such as visiting a malicious site, and assumes prior renderer compromise, leading to high impacts on confidentiality, integrity, and availability.

Mitigation involves updating to Google Chrome 146.0.7680.153 or later, as detailed in the Chrome Releases stable channel update blog at https://chromereleases.googleblog.com/2026/03/stable-channel-update-for-desktop_18.html and Chromium issue tracker at https://issues.chromium.org/issues/488617440.

Details

CWE(s): CWE-416

Affected Products

google

chrome

≤ 146.0.7680.153

CVEs Like This One

CVE-2026-7343Same product: Apple Macos

CVE-2026-6310Same product: Apple Macos

CVE-2026-6304Same product: Apple Macos

CVE-2026-4676Same product: Apple Macos

CVE-2026-6309Same product: Apple Macos

CVE-2026-5288Same product: Apple Macos

CVE-2026-5289Same product: Apple Macos

CVE-2026-5290Same product: Apple Macos

CVE-2026-5874Same product: Apple Macos

CVE-2026-6297Same product: Apple Macos

References

https://chromereleases.googleblog.com/2026/03/stable-channel-update-for-desktop_18.html
Vendor Advisory, Release Notes · chrome-cve-admin@google.com
https://issues.chromium.org/issues/488617440
Issue Tracking, Permissions Required · chrome-cve-admin@google.com