Cyber Resilience

CVE-2026-4675

High

Published: 24 March 2026

Published
24 March 2026
Modified
24 March 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0039 30.3th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-4675 is a high-severity Heap-based Buffer Overflow (CWE-122) vulnerability in Google Chrome. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Drive-by Compromise (T1189); ranked at the 30.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-4675 is a heap buffer overflow vulnerability in the WebGL component of Google Chrome prior to version 146.0.7680.165. The flaw enables a remote attacker to perform an out-of-bounds memory read via a crafted HTML page. It is linked to CWE-122 (Heap-based Buffer Overflow) and CWE-787 (Out-of-bounds Write), with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), rated as High severity by Chromium security standards. The vulnerability was published on 2026-03-24.

A remote attacker can exploit this issue by luring a user to visit a malicious website hosting the crafted HTML page, requiring user interaction such as loading the page. No privileges are needed (PR:N), the attack vector is network-based (AV:N) with low attack complexity (AC:L), and it has no impact on scope (S:U). Exploitation grants high confidentiality, integrity, and availability impacts (C:H/I:H/A:H), potentially allowing memory corruption that leads to further compromise.

Mitigation is provided in Google Chrome version 146.0.7680.165 and later, as announced in the stable channel update for desktop on the Chrome Releases blog (https://chromereleases.googleblog.com/2026/03/stable-channel-update-for-desktop_23.html). Further technical details are documented in the Chromium issue tracker (https://issues.chromium.org/issues/488270257). Security practitioners should prioritize updating affected systems to patched versions.

EU & UK References

Vulnerability details

Heap buffer overflow in WebGL in Google Chrome prior to 146.0.7680.165 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. (Chromium security severity: High)

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1189 Drive-by Compromise Initial Access
Adversaries may gain access to a system through a user visiting a website over the normal course of browsing.
Why these techniques?

Heap buffer overflow in Chrome WebGL enables remote code execution via crafted HTML on malicious site, directly facilitating Drive-by Compromise (T1189) initial access with user interaction.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-2314Same product: Apple Macos
CVE-2026-3544Same product: Apple Macos
CVE-2026-3931Same product: Apple Macos
CVE-2026-3913Same product: Apple Macos
CVE-2026-1861Same product: Apple Macos
CVE-2026-4673Same product: Apple Macos
CVE-2026-4439Same product: Apple Macos
CVE-2026-4463Same product: Apple Macos
CVE-2026-5285Same product: Apple Macos
CVE-2026-9973Same product: Apple Macos

Affected Assets

google
chrome
≤ 146.0.7680.164

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely remediation of identified flaws, such as applying the Chrome patch to version 146.0.7680.165 to fix the WebGL heap buffer overflow.

prevent

Implements memory protection mechanisms like ASLR and DEP to prevent exploitation of heap buffer overflows leading to out-of-bounds reads.

prevent

Enforces process isolation, such as browser renderer sandboxing, to contain potential memory corruption from WebGL exploits.

References