CVE-2026-4675
Published: 24 March 2026
Summary
CVE-2026-4675 is a high-severity Heap-based Buffer Overflow (CWE-122) vulnerability in Google Chrome. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Drive-by Compromise (T1189); ranked at the 7.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely remediation of identified flaws, such as applying the Chrome patch to version 146.0.7680.165 to fix the WebGL heap buffer overflow.
Implements memory protection mechanisms like ASLR and DEP to prevent exploitation of heap buffer overflows leading to out-of-bounds reads.
Enforces process isolation, such as browser renderer sandboxing, to contain potential memory corruption from WebGL exploits.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Heap buffer overflow in Chrome WebGL enables remote code execution via crafted HTML on malicious site, directly facilitating Drive-by Compromise (T1189) initial access with user interaction.
NVD Description
Heap buffer overflow in WebGL in Google Chrome prior to 146.0.7680.165 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. (Chromium security severity: High)
Deeper analysisAI
CVE-2026-4675 is a heap buffer overflow vulnerability in the WebGL component of Google Chrome prior to version 146.0.7680.165. The flaw enables a remote attacker to perform an out-of-bounds memory read via a crafted HTML page. It is linked to CWE-122 (Heap-based Buffer Overflow) and CWE-787 (Out-of-bounds Write), with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), rated as High severity by Chromium security standards. The vulnerability was published on 2026-03-24.
A remote attacker can exploit this issue by luring a user to visit a malicious website hosting the crafted HTML page, requiring user interaction such as loading the page. No privileges are needed (PR:N), the attack vector is network-based (AV:N) with low attack complexity (AC:L), and it has no impact on scope (S:U). Exploitation grants high confidentiality, integrity, and availability impacts (C:H/I:H/A:H), potentially allowing memory corruption that leads to further compromise.
Mitigation is provided in Google Chrome version 146.0.7680.165 and later, as announced in the stable channel update for desktop on the Chrome Releases blog (https://chromereleases.googleblog.com/2026/03/stable-channel-update-for-desktop_23.html). Further technical details are documented in the Chromium issue tracker (https://issues.chromium.org/issues/488270257). Security practitioners should prioritize updating affected systems to patched versions.
Details
- CWE(s)