CVE-2026-4457
Published: 20 March 2026
Summary
CVE-2026-4457 is a high-severity Type Confusion (CWE-843) vulnerability in Google Chrome. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Drive-by Compromise (T1189); ranked at the 8.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SC-18 (Mobile Code).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires timely remediation of the type confusion flaw in Chrome's V8 engine by applying the patch in version 146.0.7680.153.
Implements memory safeguards like ASLR and DEP to mitigate heap corruption from type confusion exploits in the V8 renderer process.
Restricts or blocks execution of malicious JavaScript mobile code delivered via crafted HTML pages targeting the V8 vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The type confusion flaw in V8 enables remote heap corruption and code execution when a user visits a crafted malicious HTML/JS page, directly mapping to drive-by compromise (T1189) for initial access and exploitation for client execution (T1203) in the browser renderer.
NVD Description
Type Confusion in V8 in Google Chrome prior to 146.0.7680.153 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
Deeper analysisAI
CVE-2026-4457 is a type confusion vulnerability in the V8 JavaScript and WebAssembly engine within Google Chrome versions prior to 146.0.7680.153. This flaw allows a remote attacker to potentially exploit heap corruption through a crafted HTML page, as classified under CWE-843. The Chromium security team rated it as High severity, with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), indicating high impacts on confidentiality, integrity, and availability.
A remote attacker can exploit this vulnerability by convincing a user to visit a malicious website containing the crafted HTML page, requiring user interaction but no special privileges. Successful exploitation could lead to heap corruption, enabling arbitrary read/write capabilities, potential code execution in the renderer process, or other severe memory corruption effects within the affected browser instance.
Google's Chrome Releases blog announces a stable channel update for desktop that addresses this issue in version 146.0.7680.153, as tracked in Chromium issue 488803413. Security practitioners should advise users to update Google Chrome to this version or later to mitigate the vulnerability.
Details
- CWE(s)