CVE-2026-4458
Published: 20 March 2026
Summary
CVE-2026-4458 is a high-severity Use After Free (CWE-416) vulnerability in Google Chrome. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Browser Extensions (T1176.001); ranked at the 1.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-11 (User-installed Software) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mandates timely flaw remediation through patching, addressing the specific use-after-free vulnerability fixed in Chrome version 146.0.7680.153.
Enforces policies to restrict or monitor user-installed software, preventing the installation of malicious Chrome extensions required to trigger the vulnerability.
Implements memory protection mechanisms that mitigate heap corruption exploits stemming from the use-after-free vulnerability in Chrome extensions.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
UAF in Chrome Extensions component enables code execution when user installs a crafted malicious extension (T1176.001), constituting client-side exploitation (T1203) after user execution of the extension file (T1204.002).
NVD Description
Use after free in Extensions in Google Chrome prior to 146.0.7680.153 allowed an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via a crafted Chrome Extension. (Chromium security severity: High)
Deeper analysisAI
CVE-2026-4458 is a use-after-free vulnerability (CWE-416) in the Extensions component of Google Chrome prior to version 146.0.7680.153. Published on 2026-03-20, it allows heap corruption via a crafted Chrome Extension. Chromium security severity is rated High, with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).
The vulnerability can be exploited by an attacker who convinces a user to install a malicious extension. With network access, low attack complexity, and no required privileges beyond user interaction to install the extension, a successful exploit could result in high impacts to confidentiality, integrity, and availability, potentially enabling heap corruption and related code execution.
Mitigation is detailed in the Chrome Releases stable channel update blog post and the associated Chromium issue tracker entry. Security practitioners should advise users to update Google Chrome to version 146.0.7680.153 or later to patch the vulnerability.
Details
- CWE(s)