CVE-2026-4463
Published: 20 March 2026
Summary
CVE-2026-4463 is a high-severity Heap-based Buffer Overflow (CWE-122) vulnerability in Google Chrome. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Drive-by Compromise (T1189); ranked at the 6.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses the CVE by requiring identification, reporting, and timely patching of the heap buffer overflow flaw in Chrome's WebRTC component.
Implements memory protection techniques like ASLR, DEP, and stack canaries to prevent successful exploitation of heap buffer overflows via heap corruption.
Enforces validation of inputs from crafted HTML pages to mitigate buffer overflows in WebRTC by rejecting malformed data causing heap corruption.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Heap buffer overflow in browser WebRTC component directly enables drive-by compromise via malicious HTML page (T1189) and exploitation for client-side code execution leading to RCE (T1203).
NVD Description
Heap buffer overflow in WebRTC in Google Chrome prior to 146.0.7680.153 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
Deeper analysisAI
CVE-2026-4463 is a heap buffer overflow vulnerability (CWE-122) in the WebRTC component of Google Chrome versions prior to 146.0.7680.153. It allows a remote attacker to potentially exploit heap corruption through a crafted HTML page. The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) and is rated High severity by Chromium security.
A remote attacker can exploit this vulnerability by tricking a user into visiting a malicious website containing a crafted HTML page, as it requires user interaction but no special privileges. Successful exploitation could lead to heap corruption, enabling high-impact consequences such as arbitrary code execution, data tampering, or denial of service with full effects on confidentiality, integrity, and availability within the browser's scope.
Google addressed the issue in Chrome version 146.0.7680.153, as detailed in the stable channel update for desktop announced on the Chrome Releases blog (https://chromereleases.googleblog.com/2026/03/stable-channel-update-for-desktop_18.html). Additional technical details are available in the Chromium issue tracker (https://issues.chromium.org/issues/491358681). Security practitioners should ensure users update to the patched version or later to mitigate the risk.
Details
- CWE(s)