CVE-2026-4677
Published: 24 March 2026
Summary
CVE-2026-4677 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Google Chrome. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Drive-by Compromise (T1189); ranked at the 7.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates CVE-2026-4677 by requiring timely installation of the Chrome patch version 146.0.7680.165 to remediate the WebAudio out-of-bounds memory read flaw.
Implements memory protection methods such as address space layout randomization and stack guards to prevent exploitation of the out-of-bounds memory read in Chrome's WebAudio.
Enforces process isolation in the browser renderer to contain the impact of the WebAudio memory read exploit and prevent privilege escalation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE describes a browser renderer vulnerability (WebAudio OOB read) triggered by loading a crafted HTML page, directly enabling drive-by delivery of malicious web content (T1189) and exploitation of a client application for execution or memory access (T1203).
NVD Description
Inappropriate implementation in WebAudio in Google Chrome prior to 146.0.7680.165 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. (Chromium security severity: High)
Deeper analysisAI
CVE-2026-4677 involves an inappropriate implementation in the WebAudio component of Google Chrome prior to version 146.0.7680.165. This flaw enables a remote attacker to perform an out-of-bounds memory read via a crafted HTML page. The vulnerability is mapped to CWE-125 and carries a Chromium security severity rating of High, with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).
A remote attacker can exploit this issue over the network with low attack complexity and no privileges required, though it depends on user interaction, such as loading the malicious HTML page. Exploitation results in high impacts across confidentiality, integrity, and availability, potentially allowing memory corruption, information disclosure, or system crashes.
Google addressed the vulnerability in Chrome version 146.0.7680.165. Security practitioners should refer to the Chrome stable channel update at https://chromereleases.googleblog.com/2026/03/stable-channel-update-for-desktop_23.html and the Chromium issue tracker entry at https://issues.chromium.org/issues/490533968 for patch details and verification steps.
Details
- CWE(s)