CVE-2026-4674
Published: 24 March 2026
Summary
CVE-2026-4674 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Google Chrome. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Drive-by Compromise (T1189); ranked at the 9.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SC-39 (Process Isolation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses the CVE by requiring timely identification, reporting, and correction of the out-of-bounds read flaw in Chrome's CSS component via vendor patching to version 146.0.7680.165 or later.
Mitigates memory corruption from the out-of-bounds read by implementing safeguards like ASLR, stack canaries, and non-executable memory to hinder exploitation.
Contains exploitation of the CSS parsing vulnerability within isolated browser renderer processes, preventing escape to higher-privilege system components.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Out-of-bounds read in Chrome CSS renderer via crafted HTML enables drive-by compromise through malicious site visits and direct client-side exploitation for code execution or data leakage.
NVD Description
Out of bounds read in CSS in Google Chrome prior to 146.0.7680.165 allowed a remote attacker to perform out of bounds memory access via a crafted HTML page. (Chromium security severity: High)
Deeper analysisAI
CVE-2026-4674 is an out-of-bounds read vulnerability (CWE-125) in the CSS component of Google Chrome prior to version 146.0.7680.165. This flaw allows a remote attacker to perform out-of-bounds memory access via a crafted HTML page, as reported with Chromium security severity rated High. The vulnerability received a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), highlighting its potential for significant impact.
A remote attacker can exploit CVE-2026-4674 by luring a user to visit a malicious website hosting the crafted HTML page, requiring user interaction such as clicking a link but no special privileges. The low attack complexity and network accessibility make it feasible for widespread targeting. Successful exploitation grants high impacts on confidentiality, integrity, and availability, potentially enabling arbitrary code execution or data leakage through the out-of-bounds memory access.
Mitigation is addressed in the Google Chrome stable channel update to version 146.0.7680.165, as detailed in the Chrome Releases blog post at https://chromereleases.googleblog.com/2026/03/stable-channel-update-for-desktop_23.html. Additional technical details are available in the Chromium issue tracker at https://issues.chromium.org/issues/488188166. Security practitioners should prioritize updating affected Chrome installations to the patched version or later.
Details
- CWE(s)