CVE-2026-4461
Published: 20 March 2026
Summary
CVE-2026-4461 is a high-severity an unspecified weakness vulnerability in Google Chrome. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Drive-by Compromise (T1189); ranked at the 8.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SC-39 (Process Isolation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-2 mandates timely identification, reporting, and correction of flaws, directly addressing the heap corruption vulnerability in Chrome's V8 engine through vendor patching to version 146.0.7680.153 or later.
SI-16 implements memory protections such as ASLR and write-xor-execute that mitigate heap corruption exploits from crafted HTML pages leading to arbitrary code execution.
SC-39 enforces process isolation in browsers like Chrome, confining renderer process heap corruption to prevent full system compromise.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE describes remote exploitation of a V8/Chrome heap corruption flaw via a crafted HTML page, directly enabling drive-by compromise (T1189), exploitation for client execution (T1203), and user execution via malicious link or file (T1204.001/002).
NVD Description
Inappropriate implementation in V8 in Google Chrome prior to 146.0.7680.153 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
Deeper analysisAI
CVE-2026-4461 is a high-severity vulnerability stemming from an inappropriate implementation in the V8 JavaScript and WebAssembly engine within Google Chrome versions prior to 146.0.7680.153. It enables potential heap corruption when a user processes a crafted HTML page. The issue carries a CVSS v3.1 base score of 8.8, reflecting its critical impact on confidentiality, integrity, and availability.
A remote attacker can exploit this vulnerability by tricking a user into visiting a malicious website or opening a crafted HTML page, requiring user interaction but no special privileges. Successful exploitation could lead to heap corruption, potentially allowing arbitrary code execution within the browser's renderer process, compromising the victim's system with high-impact effects on data access, modification, and denial of service.
Mitigation is addressed in the Chrome stable channel update documented at https://chromereleases.googleblog.com/2026/03/stable-channel-update-for-desktop_18.html, which patches the issue in version 146.0.7680.153 and later. Additional details are available in the Chromium issue tracker at https://issues.chromium.org/issues/490558172. Security practitioners should prioritize updating affected Chrome installations to prevent exploitation.
Details
- CWE(s)