Cyber Resilience

CVE-2026-4456

High

Published: 20 March 2026

Published
20 March 2026
Modified
20 March 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0025 16.4th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-4456 is a high-severity Use After Free (CWE-416) vulnerability in Google Chrome. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 16.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-39 (Process Isolation) and SI-16 (Memory Protection).

Deeper analysis

CVE-2026-4456 is a use-after-free vulnerability (CWE-416) in the Digital Credentials API within Google Chrome prior to version 146.0.7680.153. This flaw, published on 2026-03-20, has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) and is rated High severity by Chromium security standards.

The vulnerability enables a remote attacker who has already compromised the renderer process to potentially escape the sandbox via a crafted HTML page. Exploitation requires user interaction, such as visiting a malicious site, and assumes prior renderer compromise, leading to high impacts on confidentiality, integrity, and availability.

Mitigation involves updating to Google Chrome 146.0.7680.153 or later, as detailed in the Chrome Releases stable channel update blog at https://chromereleases.googleblog.com/2026/03/stable-channel-update-for-desktop_18.html and Chromium issue tracker at https://issues.chromium.org/issues/488617440.

EU & UK References

Vulnerability details

Use after free in Digital Credentials API in Google Chrome prior to 146.0.7680.153 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Use-after-free vulnerability enables sandbox escape after renderer compromise, directly facilitating exploitation for privilege escalation.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-7919Same product: Apple Macos
CVE-2026-9946Same product: Apple Macos
CVE-2026-9925Same product: Apple Macos
CVE-2026-7975Same product: Apple Macos
CVE-2026-9891Same product: Apple Macos
CVE-2026-9877Same product: Apple Macos
CVE-2026-6310Same product: Apple Macos
CVE-2026-7343Same product: Apple Macos
CVE-2026-9931Same product: Apple Macos
CVE-2026-8523Same product: Apple Macos

Affected Assets

google
chrome
≤ 146.0.7680.153

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mandates timely remediation of flaws like this use-after-free vulnerability through patching to Chrome 146.0.7680.153 or later.

prevent

Implements memory protection mechanisms such as ASLR and DEP that directly mitigate use-after-free exploits in the renderer process.

prevent

Enforces process isolation for the renderer sandbox, preventing escape to higher-privilege contexts even after renderer compromise.

References