Description
Use after free in Base in Google Chrome prior to 146.0.7680.153 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Critical)
Published: 2026-03-20
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Potential Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

A use‑after‑free bug in Chrome's Base component can be triggered when a malicious HTML page is rendered. The bug can corrupt the browser's heap, which potentially permits arbitrary code execution on the victim machine.

Affected Systems

The issue exists in any Chrome build before 146.0.7680.153, regardless of operating system. Users running Chrome on Windows, macOS, or Linux are vulnerable.

Risk and Exploitability

The CVSS score of 8.8 reflects a high‑severity risk. Although the EPSS indicates a low probability of exploitation, the vulnerability is unlisted in the KEV database, and its exploitation requires only a crafted HTML page that the user visits. The remote attacker could gain code execution and compromise system integrity.

Generated by OpenCVE AI on March 20, 2026 at 20:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Google Chrome to the latest stable release (at least 146.0.7680.153).
  • If an immediate update is not possible, avoid opening unknown or suspicious HTML files and limit browsing to trusted sites.

Generated by OpenCVE AI on March 20, 2026 at 20:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6171-1 chromium security update
History

Fri, 20 Mar 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows
CPEs cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows

Fri, 20 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Fri, 20 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
Title Use-After-Free in Google Chrome Base Leading to Heap Corruption via Crafted HTML Page chromium-browser: Use after free in Base
Weaknesses CWE-825
References
Metrics threat_severity

None

 cvssV3_1

{'score': 9.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H'}

threat_severity

Critical

Fri, 20 Mar 2026 11:15:00 +0000

Type Values Removed Values Added
Title Use-After-Free in Google Chrome Base Leading to Heap Corruption via Crafted HTML Page

Fri, 20 Mar 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Fri, 20 Mar 2026 02:15:00 +0000

Type Values Removed Values Added
Description Use after free in Base in Google Chrome prior to 146.0.7680.153 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Critical)
Weaknesses CWE-416
References

Subscriptions

Apple Macos
Google Chrome
Linux Linux Kernel
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-03-21T04:01:24.650Z

Reserved: 2026-03-19T20:23:48.029Z

Link: CVE-2026-4441

cve-icon Vulnrichment

Updated: 2026-03-20T14:35:14.436Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-20T02:16:36.630

Modified: 2026-03-20T19:31:19.917

Link: CVE-2026-4441

cve-icon Redhat

Severity : Critical

Publid Date: 2026-03-18T00:00:00Z

Links: CVE-2026-4441 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:10:05Z

Weaknesses